From a85a452b38f889baff28e6d2792b31778e00b481 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 00:15:25 +0000 Subject: [PATCH 1/3] fix: apply audit fixes --- dist/restore/index.js | 2861 ++++++++++++++++++++++++++++++++++------- 1 file changed, 2410 insertions(+), 451 deletions(-) diff --git a/dist/restore/index.js b/dist/restore/index.js index 14578f0..7b7c1e7 100644 --- a/dist/restore/index.js +++ b/dist/restore/index.js @@ -199488,7 +199488,7 @@ module.exports = axios; /***/ 74577: /***/ ((module) => { -(()=>{"use strict";var t={d:(e,i)=>{for(var n in i)t.o(i,n)&&!t.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:i[n]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>$t,XMLParser:()=>gt,XMLValidator:()=>It});const i=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",n=new RegExp("^["+i+"]["+i+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function s(t,e){const i=[];let n=e.exec(t);for(;n;){const s=[];s.startIndex=e.lastIndex-n[0].length;const r=n.length;for(let t=0;t"!==t[r]&&" "!==t[r]&&"\t"!==t[r]&&"\n"!==t[r]&&"\r"!==t[r];r++)h+=t[r];if(h=h.trim(),"/"===h[h.length-1]&&(h=h.substring(0,h.length-1),r--),!y(h)){let e;return e=0===h.trim().length?"Invalid space after '<'.":"Tag '"+h+"' is an invalid name.",b("InvalidTag",e,w(t,r))}const l=g(t,r);if(!1===l)return b("InvalidAttr","Attributes for '"+h+"' have open quote.",w(t,r));let d=l.value;if(r=l.index,"/"===d[d.length-1]){const i=r-d.length;d=d.substring(0,d.length-1);const s=x(d,e);if(!0!==s)return b(s.err.code,s.err.msg,w(t,i+s.err.line));n=!0}else if(a){if(!l.tagClosed)return b("InvalidTag","Closing tag '"+h+"' doesn't have proper closing.",w(t,r));if(d.trim().length>0)return b("InvalidTag","Closing tag '"+h+"' can't have attributes or invalid starting.",w(t,o));if(0===i.length)return b("InvalidTag","Closing tag '"+h+"' has not been opened.",w(t,o));{const e=i.pop();if(h!==e.tagName){let i=w(t,e.tagStartPos);return b("InvalidTag","Expected closing tag '"+e.tagName+"' (opened in line "+i.line+", col "+i.col+") instead of closing tag '"+h+"'.",w(t,o))}0==i.length&&(s=!0)}}else{const a=x(d,e);if(!0!==a)return b(a.err.code,a.err.msg,w(t,r-d.length+a.err.line));if(!0===s)return b("InvalidXml","Multiple possible root nodes found.",w(t,r));-1!==e.unpairedTags.indexOf(h)||i.push({tagName:h,tagStartPos:o}),n=!0}for(r++;r0)||b("InvalidXml","Invalid '"+JSON.stringify(i.map(t=>t.tagName),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):b("InvalidXml","Start tag expected.",1)}function p(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function u(t,e){const i=e;for(;e5&&"xml"===n)return b("InvalidXml","XML declaration allowed only at the start of the document.",w(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}continue}return e}function c(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){let i=1;for(e+=8;e"===t[e]&&(i--,0===i))break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}const d='"',f="'";function g(t,e){let i="",n="",s=!1;for(;e"===t[e]&&""===n){s=!0;break}i+=t[e]}return""===n&&{value:i,index:e,tagClosed:s}}const m=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function x(t,e){const i=s(t,m),n={};for(let t=0;to.includes(t)?"__"+t:t,P={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:()=>!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,i){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:T};function S(t,e){if("string"!=typeof t)return;const i=t.toLowerCase();if(o.some(t=>i===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);if(a.some(t=>i===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`)}function A(t){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:10,maxTotalExpansions:1e3,maxExpandedLength:1e5,maxEntityCount:100,allowedTags:null,tagFilter:null}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,t.maxEntitySize??1e4),maxExpansionDepth:Math.max(1,t.maxExpansionDepth??10),maxTotalExpansions:Math.max(1,t.maxTotalExpansions??1e3),maxExpandedLength:Math.max(1,t.maxExpandedLength??1e5),maxEntityCount:Math.max(1,t.maxEntityCount??100),allowedTags:t.allowedTags??null,tagFilter:t.tagFilter??null}:A(!0)}const O=function(t){const e=Object.assign({},P,t),i=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];for(const{value:t,name:e}of i)t&&S(t,e);return null===e.onDangerousProperty&&(e.onDangerousProperty=T),e.processEntities=A(e.processEntities),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),e};let C;C="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");class ${constructor(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}add(t,e){"__proto__"===t&&(t="#__proto__"),this.child.push({[t]:e})}addChild(t,e){"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push({[t.tagname]:t.child,":@":t[":@"]}):this.child.push({[t.tagname]:t.child}),void 0!==e&&(this.child[this.child.length-1][C]={startIndex:e})}static getMetaDataSymbol(){return C}}class I{constructor(t){this.suppressValidationErr=!t,this.options=t}readDocType(t,e){const i=Object.create(null);let n=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");{e+=9;let s=1,r=!1,o=!1,a="";for(;e"===t[e]){if(o?"-"===t[e-1]&&"-"===t[e-2]&&(o=!1,s--):s--,0===s)break}else"["===t[e]?r=!0:a+=t[e];else{if(r&&M(t,"!ENTITY",e)){let s,r;if(e+=7,[s,r,e]=this.readEntityExp(t,e+1,this.suppressValidationErr),-1===r.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&n>=this.options.maxEntityCount)throw new Error(`Entity count (${n+1}) exceeds maximum allowed (${this.options.maxEntityCount})`);const t=s.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");i[s]={regx:RegExp(`&${t};`,"g"),val:r},n++}}else if(r&&M(t,"!ELEMENT",e)){e+=8;const{index:i}=this.readElementExp(t,e+1);e=i}else if(r&&M(t,"!ATTLIST",e))e+=8;else if(r&&M(t,"!NOTATION",e)){e+=9;const{index:i}=this.readNotationExp(t,e+1,this.suppressValidationErr);e=i}else{if(!M(t,"!--",e))throw new Error("Invalid DOCTYPE");o=!0}s++,a=""}if(0!==s)throw new Error("Unclosed DOCTYPE")}return{entities:i,i:e}}readEntityExp(t,e){const i=e=j(t,e);for(;ethis.options.maxEntitySize)throw new Error(`Entity "${n}" size (${s.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);return[n,s,--e]}readNotationExp(t,e){const i=e=j(t,e);for(;e{for(;e0&&(this.path[this.path.length-1].values=void 0);const n=this.path.length;this.siblingStacks[n]||(this.siblingStacks[n]=new Map);const s=this.siblingStacks[n],r=i?`${i}:${t}`:t,o=s.get(r)||0;let a=0;for(const t of s.values())a+=t;s.set(r,o+1);const h={tag:t,position:a,counter:o};null!=i&&(h.namespace=i),null!=e&&(h.values=e),this.path.push(h)}pop(){if(0===this.path.length)return;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0===this.path.length)return;const e=this.path[this.path.length-1];return e.values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const i=t||this.separator;return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(i)}toArray(){return this.path.map(t=>t.tag)}reset(){this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e=0&&e>=0;){const n=t[i];if("deep-wildcard"===n.type){if(i--,i<0)return!0;const n=t[i];let s=!1;for(let t=e;t>=0;t--){const r=t===this.path.length-1;if(this._matchSegment(n,this.path[t],r)){e=t-1,i--,s=!0;break}}if(!s)return!1}else{const t=e===this.path.length-1;if(!this._matchSegment(n,this.path[e],t))return!1;e--,i--}}return i<0}_matchSegment(t,e,i){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!i)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue){const i=e.values[t.attrName];if(String(i)!==String(t.attrValue))return!1}}if(void 0!==t.position){if(!i)return!1;const n=e.counter??0;if("first"===t.position&&0!==n)return!1;if("odd"===t.position&&n%2!=1)return!1;if("even"===t.position&&n%2!=0)return!1;if("nth"===t.position&&n!==t.positionValue)return!1}return!0}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return new Proxy(this,{get(t,e,i){if(L.has(e))return()=>{throw new TypeError(`Cannot call '${e}' on a read-only Matcher. Obtain a writable instance to mutate state.`)};const n=Reflect.get(t,e,i);return"path"===e||"siblingStacks"===e?Object.freeze(Array.isArray(n)?n.map(t=>t instanceof Map?Object.freeze(new Map(t)):Object.freeze({...t})):n):"function"==typeof n?n.bind(t):n},set(t,e){throw new TypeError(`Cannot set property '${String(e)}' on a read-only Matcher.`)},deleteProperty(t,e){throw new TypeError(`Cannot delete property '${String(e)}' from a read-only Matcher.`)}})}}class R{constructor(t,e={}){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let i=0,n="";for(;i0){const i=t.substring(0,e);if("xmlns"!==i)return i}}class W{constructor(t){var e;if(this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.docTypeEntities={},this.lastEntities={apos:{regex:/&(apos|#39|#x27);/g,val:"'"},gt:{regex:/&(gt|#62|#x3E);/g,val:">"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:(t,e)=>rt(e,10,"&#")},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:(t,e)=>rt(e,16,"&#x")}},this.addExternalEntities=Y,this.parseXml=J,this.parseTextData=z,this.resolveNameSpace=X,this.buildAttributesMap=Z,this.isItStopNode=tt,this.replaceEntitiesValue=Q,this.readStopNodeData=nt,this.saveTextToParentTag=H,this.addChild=K,this.ignoreAttributesFn="function"==typeof(e=this.options.ignoreAttributes)?e:Array.isArray(e)?t=>{for(const i of e){if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:()=>!1,this.entityExpansionCount=0,this.currentExpandedLength=0,this.matcher=new G,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.options.stopNodes&&this.options.stopNodes.length>0){this.stopNodeExpressions=[];for(let t=0;t0)){o||(t=this.replaceEntitiesValue(t,e,i));const n=this.options.jPath?i.toString():i,a=this.options.tagValueProcessor(e,t,n,s,r);return null==a?t:typeof a!=typeof t||a!==t?a:this.options.trimValues||t.trim()===t?st(t,this.options.parseTagValue,this.options.numberParseOptions):t}}function X(t){if(this.options.removeNSPrefix){const e=t.split(":"),i="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=i+e[1])}return t}const q=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function Z(t,e,i){if(!0!==this.options.ignoreAttributes&&"string"==typeof t){const n=s(t,q),r=n.length,o={},a={};for(let t=0;t0&&"object"==typeof e&&e.updateCurrent&&e.updateCurrent(a);for(let t=0;t",r,"Closing Tag is not closed.");let s=t.substring(r+2,e).trim();if(this.options.removeNSPrefix){const t=s.indexOf(":");-1!==t&&(s=s.substr(t+1))}s=ot(this.options.transformTagName,s,"",this.options).tagName,i&&(n=this.saveTextToParentTag(n,i,this.readonlyMatcher));const o=this.matcher.getCurrentTag();if(s&&-1!==this.options.unpairedTags.indexOf(s))throw new Error(`Unpaired tag can not be used as closing tag: `);o&&-1!==this.options.unpairedTags.indexOf(o)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,i=this.tagsNodeStack.pop(),n="",r=e}else if("?"===t[r+1]){let e=it(t,r,!1,"?>");if(!e)throw new Error("Pi Tag is not closed.");if(n=this.saveTextToParentTag(n,i,this.readonlyMatcher),this.options.ignoreDeclaration&&"?xml"===e.tagName||this.options.ignorePiTags);else{const t=new $(e.tagName);t.add(this.options.textNodeName,""),e.tagName!==e.tagExp&&e.attrExpPresent&&(t[":@"]=this.buildAttributesMap(e.tagExp,this.matcher,e.tagName)),this.addChild(i,t,this.readonlyMatcher,r)}r=e.closeIndex+1}else if("!--"===t.substr(r+1,3)){const e=et(t,"--\x3e",r+4,"Comment is not closed.");if(this.options.commentPropName){const s=t.substring(r+4,e-2);n=this.saveTextToParentTag(n,i,this.readonlyMatcher),i.add(this.options.commentPropName,[{[this.options.textNodeName]:s}])}r=e}else if("!D"===t.substr(r+1,2)){const e=s.readDocType(t,r);this.docTypeEntities=e.entities,r=e.i}else if("!["===t.substr(r+1,2)){const e=et(t,"]]>",r,"CDATA is not closed.")-2,s=t.substring(r+9,e);n=this.saveTextToParentTag(n,i,this.readonlyMatcher);let o=this.parseTextData(s,i.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==o&&(o=""),this.options.cdataPropName?i.add(this.options.cdataPropName,[{[this.options.textNodeName]:s}]):i.add(this.options.textNodeName,o),r=e+2}else{let s=it(t,r,this.options.removeNSPrefix);if(!s){const e=t.substring(Math.max(0,r-50),Math.min(t.length,r+50));throw new Error(`readTagExp returned undefined at position ${r}. Context: "${e}"`)}let o=s.tagName;const a=s.rawTagName;let h=s.tagExp,l=s.attrExpPresent,p=s.closeIndex;if(({tagName:o,tagExp:h}=ot(this.options.transformTagName,o,h,this.options)),this.options.strictReservedNames&&(o===this.options.commentPropName||o===this.options.cdataPropName||o===this.options.textNodeName||o===this.options.attributesGroupName))throw new Error(`Invalid tag name: ${o}`);i&&n&&"!xml"!==i.tagname&&(n=this.saveTextToParentTag(n,i,this.readonlyMatcher,!1));const u=i;u&&-1!==this.options.unpairedTags.indexOf(u.tagname)&&(i=this.tagsNodeStack.pop(),this.matcher.pop());let c=!1;h.length>0&&h.lastIndexOf("/")===h.length-1&&(c=!0,"/"===o[o.length-1]?(o=o.substr(0,o.length-1),h=o):h=h.substr(0,h.length-1),l=o!==h);let d,f=null,g={};d=B(a),o!==e.tagname&&this.matcher.push(o,{},d),o!==h&&l&&(f=this.buildAttributesMap(h,this.matcher,o),f&&(g=U(f,this.options))),o!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode(this.stopNodeExpressions,this.matcher));const m=r;if(this.isCurrentNodeStopNode){let e="";if(c)r=s.closeIndex;else if(-1!==this.options.unpairedTags.indexOf(o))r=s.closeIndex;else{const i=this.readStopNodeData(t,a,p+1);if(!i)throw new Error(`Unexpected end of ${a}`);r=i.i,e=i.tagContent}const n=new $(o);f&&(n[":@"]=f),n.add(this.options.textNodeName,e),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(i,n,this.readonlyMatcher,m)}else{if(c){({tagName:o,tagExp:h}=ot(this.options.transformTagName,o,h,this.options));const t=new $(o);f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(-1!==this.options.unpairedTags.indexOf(o)){const t=new $(o);f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),this.matcher.pop(),this.isCurrentNodeStopNode=!1,r=s.closeIndex;continue}{const t=new $(o);if(this.tagsNodeStack.length>this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(i),f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),i=t}}n="",r=p}}else n+=t[r];return e.child};function K(t,e,i,n){this.options.captureMetaData||(n=void 0);const s=this.options.jPath?i.toString():i,r=this.options.updateTag(e.tagname,s,e[":@"]);!1===r||("string"==typeof r?(e.tagname=r,t.addChild(e,n)):t.addChild(e,n))}function Q(t,e,i){const n=this.options.processEntities;if(!n||!n.enabled)return t;if(n.allowedTags){const s=this.options.jPath?i.toString():i;if(!(Array.isArray(n.allowedTags)?n.allowedTags.includes(e):n.allowedTags(e,s)))return t}if(n.tagFilter){const s=this.options.jPath?i.toString():i;if(!n.tagFilter(e,s))return t}for(const e of Object.keys(this.docTypeEntities)){const i=this.docTypeEntities[e],s=t.match(i.regx);if(s){if(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions)throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);const e=t.length;if(t=t.replace(i.regx,i.val),n.maxExpandedLength&&(this.currentExpandedLength+=t.length-e,this.currentExpandedLength>n.maxExpandedLength))throw new Error(`Total expanded content size exceeded: ${this.currentExpandedLength} > ${n.maxExpandedLength}`)}}for(const e of Object.keys(this.lastEntities)){const i=this.lastEntities[e],s=t.match(i.regex);if(s&&(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions))throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);t=t.replace(i.regex,i.val)}if(-1===t.indexOf("&"))return t;if(this.options.htmlEntities)for(const e of Object.keys(this.htmlEntities)){const i=this.htmlEntities[e],s=t.match(i.regex);if(s&&(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions))throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);t=t.replace(i.regex,i.val)}return t.replace(this.ampEntity.regex,this.ampEntity.val)}function H(t,e,i,n){return t&&(void 0===n&&(n=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,i,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,n))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function tt(t,e){if(!t||0===t.length)return!1;for(let i=0;i"){let n,s="";for(let r=e;r",i,`${e} is not closed`);if(t.substring(i+2,r).trim()===e&&(s--,0===s))return{tagContent:t.substring(n,i),i:r};i=r}else if("?"===t[i+1])i=et(t,"?>",i+1,"StopNode is not closed.");else if("!--"===t.substr(i+1,3))i=et(t,"--\x3e",i+3,"StopNode is not closed.");else if("!["===t.substr(i+1,2))i=et(t,"]]>",i,"StopNode is not closed.")-2;else{const n=it(t,i,">");n&&((n&&n.tagName)===e&&"/"!==n.tagExp[n.tagExp.length-1]&&s++,i=n.closeIndex)}}function st(t,e,i){if(e&&"string"==typeof t){const e=t.trim();return"true"===e||"false"!==e&&function(t,e={}){if(e=Object.assign({},k,e),!t||"string"!=typeof t)return t;let i=t.trim();if(void 0!==e.skipLike&&e.skipLike.test(i))return t;if("0"===t)return 0;if(e.hex&&D.test(i))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(i);if(isFinite(i)){if(i.includes("e")||i.includes("E"))return function(t,e,i){if(!i.eNotation)return t;const n=e.match(F);if(n){let s=n[1]||"";const r=-1===n[3].indexOf("e")?"E":"e",o=n[2],a=s?t[o.length+1]===r:t[o.length]===r;return o.length>1&&a?t:(1!==o.length||!n[3].startsWith(`.${r}`)&&n[3][0]!==r)&&o.length>0?i.leadingZeros&&!a?(e=(n[1]||"")+n[3],Number(e)):t:Number(e)}return t}(t,i,e);{const s=V.exec(i);if(s){const r=s[1]||"",o=s[2];let a=(n=s[3])&&-1!==n.indexOf(".")?("."===(n=n.replace(/0+$/,""))?n="0":"."===n[0]?n="0"+n:"."===n[n.length-1]&&(n=n.substring(0,n.length-1)),n):n;const h=r?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!h))return t;{const n=Number(i),s=String(n);if(0===n)return n;if(-1!==s.search(/[eE]/))return e.eNotation?n:t;if(-1!==i.indexOf("."))return"0"===s||s===a||s===`${r}${a}`?n:t;let h=o?a:i;return o?h===s||r+h===s?n:t:h===s||h===r+s?n:t}}return t}}var n;return function(t,e,i){const n=e===1/0;switch(i.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return n?"Infinity":"-Infinity";default:return t}}(t,Number(i),e)}(t,i)}return void 0!==t?t:""}function rt(t,e,i){const n=Number.parseInt(t,e);return n>=0&&n<=1114111?String.fromCodePoint(n):i+t+";"}function ot(t,e,i,n){if(t){const n=t(e);i===e&&(i=n),e=n}return{tagName:e=at(e,n),tagExp:i}}function at(t,e){if(a.includes(t))throw new Error(`[SECURITY] Invalid name: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);return o.includes(t)?e.onDangerousProperty(t):t}const ht=$.getMetaDataSymbol();function lt(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;const i={};for(const n in t)n.startsWith(e)?i[n.substring(e.length)]=t[n]:i[n]=t[n];return i}function pt(t,e,i,n){return ut(t,e,i,n)}function ut(t,e,i,n){let s;const r={};for(let o=0;o0&&(r[e.textNodeName]=s):void 0!==s&&(r[e.textNodeName]=s),r}function ct(t){const e=Object.keys(t);for(let t=0;t0&&(i="\n");const n=[];if(e.stopNodes&&Array.isArray(e.stopNodes))for(let t=0;te.maxNestedTags)throw new Error("Maximum nested tags exceeded");if(!Array.isArray(t)){if(null!=t){let i=t.toString();return i=Tt(i,e),i}return""}for(let a=0;a`,o=!1,n.pop();continue}if(l===e.commentPropName){r+=i+`\x3c!--${h[l][0][e.textNodeName]}--\x3e`,o=!0,n.pop();continue}if("?"===l[0]){const t=wt(h[":@"],e,u),s="?xml"===l?"":i;let a=h[l][0][e.textNodeName];a=0!==a.length?" "+a:"",r+=s+`<${l}${a}${t}?>`,o=!0,n.pop();continue}let c=i;""!==c&&(c+=e.indentBy);const d=i+`<${l}${wt(h[":@"],e,u)}`;let f;f=u?bt(h[l],e):xt(h[l],e,c,n,s),-1!==e.unpairedTags.indexOf(l)?e.suppressUnpairedNode?r+=d+">":r+=d+"/>":f&&0!==f.length||!e.suppressEmptyNode?f&&f.endsWith(">")?r+=d+`>${f}${i}`:(r+=d+">",f&&""!==i&&(f.includes("/>")||f.includes("`):r+=d+"/>",o=!0,n.pop()}return r}function Nt(t,e){if(!t||e.ignoreAttributes)return null;const i={};let n=!1;for(let s in t)Object.prototype.hasOwnProperty.call(t,s)&&(i[s.startsWith(e.attributeNamePrefix)?s.substr(e.attributeNamePrefix.length):s]=t[s],n=!0);return n?i:null}function bt(t,e){if(!Array.isArray(t))return null!=t?t.toString():"";let i="";for(let n=0;n${n}`:i+=`<${r}${t}/>`}}}return i}function Et(t,e){let i="";if(t&&!e.ignoreAttributes)for(let n in t){if(!Object.prototype.hasOwnProperty.call(t,n))continue;let s=t[n];!0===s&&e.suppressBooleanAttributes?i+=` ${n.substr(e.attributeNamePrefix.length)}`:i+=` ${n.substr(e.attributeNamePrefix.length)}="${s}"`}return i}function yt(t){const e=Object.keys(t);for(let i=0;i0&&e.processEntities)for(let i=0;i","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1,maxNestedTags:100,jPath:!0};function St(t){if(this.options=Object.assign({},Pt,t),this.options.stopNodes&&Array.isArray(this.options.stopNodes)&&(this.options.stopNodes=this.options.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),this.stopNodeExpressions=[],this.options.stopNodes&&Array.isArray(this.options.stopNodes))for(let t=0;t{for(const i of e){if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:()=>!1,this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=Ct),this.processTextOrObjNode=At,this.options.format?(this.indentate=Ot,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function At(t,e,i,n){const s=this.extractAttributes(t);if(n.push(e,s),this.checkStopNode(n)){const s=this.buildRawContent(t),r=this.buildAttributesForStopNode(t);return n.pop(),this.buildObjectNode(s,e,r,i)}const r=this.j2x(t,i+1,n);return n.pop(),void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,r.attrStr,i,n):this.buildObjectNode(r.val,e,r.attrStr,i)}function Ot(t){return this.options.indentBy.repeat(t)}function Ct(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}St.prototype.build=function(t){if(this.options.preserveOrder)return mt(t,this.options);{Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&(t={[this.options.arrayNodeName]:t});const e=new G;return this.j2x(t,0,e).val}},St.prototype.j2x=function(t,e,i){let n="",s="";if(this.options.maxNestedTags&&i.getDepth()>=this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");const r=this.options.jPath?i.toString():i,o=this.checkStopNode(i);for(let a in t)if(Object.prototype.hasOwnProperty.call(t,a))if(void 0===t[a])this.isAttribute(a)&&(s+="");else if(null===t[a])this.isAttribute(a)||a===this.options.cdataPropName?s+="":"?"===a[0]?s+=this.indentate(e)+"<"+a+"?"+this.tagEndChar:s+=this.indentate(e)+"<"+a+"/"+this.tagEndChar;else if(t[a]instanceof Date)s+=this.buildTextValNode(t[a],a,"",e,i);else if("object"!=typeof t[a]){const h=this.isAttribute(a);if(h&&!this.ignoreAttributesFn(h,r))n+=this.buildAttrPairStr(h,""+t[a],o);else if(!h)if(a===this.options.textNodeName){let e=this.options.tagValueProcessor(a,""+t[a]);s+=this.replaceEntitiesValue(e)}else{i.push(a);const n=this.checkStopNode(i);if(i.pop(),n){const i=""+t[a];s+=""===i?this.indentate(e)+"<"+a+this.closeTag(a)+this.tagEndChar:this.indentate(e)+"<"+a+">"+i+""+t+"${t}`;else if("object"==typeof t&&null!==t){const n=this.buildRawContent(t),s=this.buildAttributesForStopNode(t);e+=""===n?`<${i}${s}/>`:`<${i}${s}>${n}`}}else if("object"==typeof n&&null!==n){const t=this.buildRawContent(n),s=this.buildAttributesForStopNode(n);e+=""===t?`<${i}${s}/>`:`<${i}${s}>${t}`}else e+=`<${i}>${n}`}return e},St.prototype.buildAttributesForStopNode=function(t){if(!t||"object"!=typeof t)return"";let e="";if(this.options.attributesGroupName&&t[this.options.attributesGroupName]){const i=t[this.options.attributesGroupName];for(let t in i){if(!Object.prototype.hasOwnProperty.call(i,t))continue;const n=t.startsWith(this.options.attributeNamePrefix)?t.substring(this.options.attributeNamePrefix.length):t,s=i[t];!0===s&&this.options.suppressBooleanAttributes?e+=" "+n:e+=" "+n+'="'+s+'"'}}else for(let i in t){if(!Object.prototype.hasOwnProperty.call(t,i))continue;const n=this.isAttribute(i);if(n){const s=t[i];!0===s&&this.options.suppressBooleanAttributes?e+=" "+n:e+=" "+n+'="'+s+'"'}}return e},St.prototype.buildObjectNode=function(t,e,i,n){if(""===t)return"?"===e[0]?this.indentate(n)+"<"+e+i+"?"+this.tagEndChar:this.indentate(n)+"<"+e+i+this.closeTag(e)+this.tagEndChar;{let s=""+t+s}},St.prototype.closeTag=function(t){let e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":`>`+this.newLine;if(!1!==this.options.commentPropName&&e===this.options.commentPropName)return this.indentate(n)+`\x3c!--${t}--\x3e`+this.newLine;if("?"===e[0])return this.indentate(n)+"<"+e+i+"?"+this.tagEndChar;{let s=this.options.tagValueProcessor(e,t);return s=this.replaceEntitiesValue(s),""===s?this.indentate(n)+"<"+e+i+this.closeTag(e)+this.tagEndChar:this.indentate(n)+"<"+e+i+">"+s+"0&&this.options.processEntities)for(let e=0;e{"use strict";var t={d:(e,n)=>{for(var i in n)t.o(n,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:n[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>Bt,XMLParser:()=>Tt,XMLValidator:()=>Ut});const n=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+n+"]["+n+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function s(t,e){const n=[];let i=e.exec(t);for(;i;){const s=[];s.startIndex=e.lastIndex-i[0].length;const r=i.length;for(let t=0;t"!==t[r]&&" "!==t[r]&&"\t"!==t[r]&&"\n"!==t[r]&&"\r"!==t[r];r++)h+=t[r];if(h=h.trim(),"/"===h[h.length-1]&&(h=h.substring(0,h.length-1),r--),!E(h)){let e;return e=0===h.trim().length?"Invalid space after '<'.":"Tag '"+h+"' is an invalid name.",b("InvalidTag",e,w(t,r))}const l=g(t,r);if(!1===l)return b("InvalidAttr","Attributes for '"+h+"' have open quote.",w(t,r));let d=l.value;if(r=l.index,"/"===d[d.length-1]){const n=r-d.length;d=d.substring(0,d.length-1);const s=x(d,e);if(!0!==s)return b(s.err.code,s.err.msg,w(t,n+s.err.line));i=!0}else if(a){if(!l.tagClosed)return b("InvalidTag","Closing tag '"+h+"' doesn't have proper closing.",w(t,r));if(d.trim().length>0)return b("InvalidTag","Closing tag '"+h+"' can't have attributes or invalid starting.",w(t,o));if(0===n.length)return b("InvalidTag","Closing tag '"+h+"' has not been opened.",w(t,o));{const e=n.pop();if(h!==e.tagName){let n=w(t,e.tagStartPos);return b("InvalidTag","Expected closing tag '"+e.tagName+"' (opened in line "+n.line+", col "+n.col+") instead of closing tag '"+h+"'.",w(t,o))}0==n.length&&(s=!0)}}else{const a=x(d,e);if(!0!==a)return b(a.err.code,a.err.msg,w(t,r-d.length+a.err.line));if(!0===s)return b("InvalidXml","Multiple possible root nodes found.",w(t,r));-1!==e.unpairedTags.indexOf(h)||n.push({tagName:h,tagStartPos:o}),i=!0}for(r++;r0)||b("InvalidXml","Invalid '"+JSON.stringify(n.map(t=>t.tagName),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):b("InvalidXml","Start tag expected.",1)}function u(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function p(t,e){const n=e;for(;e5&&"xml"===i)return b("InvalidXml","XML declaration allowed only at the start of the document.",w(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}continue}return e}function c(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){let n=1;for(e+=8;e"===t[e]&&(n--,0===n))break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}const d='"',f="'";function g(t,e){let n="",i="",s=!1;for(;e"===t[e]&&""===i){s=!0;break}n+=t[e]}return""===i&&{value:n,index:e,tagClosed:s}}const m=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function x(t,e){const n=s(t,m),i={};for(let t=0;to.includes(t)?"__"+t:t,_={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:()=>!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,entityDecoder:null,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,n){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:S};function A(t,e){if("string"!=typeof t)return;const n=t.toLowerCase();if(o.some(t=>n===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);if(a.some(t=>n===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`)}function T(t,e){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:1e4,maxTotalExpansions:1/0,maxExpandedLength:1e5,maxEntityCount:1e3,allowedTags:null,tagFilter:null,appliesTo:"all"}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,t.maxEntitySize??1e4),maxExpansionDepth:Math.max(1,t.maxExpansionDepth??1e4),maxTotalExpansions:Math.max(1,t.maxTotalExpansions??1/0),maxExpandedLength:Math.max(1,t.maxExpandedLength??1e5),maxEntityCount:Math.max(1,t.maxEntityCount??1e3),allowedTags:t.allowedTags??null,tagFilter:t.tagFilter??null,appliesTo:t.appliesTo??"all"}:T(!0)}const C=function(t){const e=Object.assign({},_,t),n=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];for(const{value:t,name:e}of n)t&&A(t,e);return null===e.onDangerousProperty&&(e.onDangerousProperty=S),e.processEntities=T(e.processEntities,e.htmlEntities),e.unpairedTagsSet=new Set(e.unpairedTags),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),e};let P;P="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");class O{constructor(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}add(t,e){"__proto__"===t&&(t="#__proto__"),this.child.push({[t]:e})}addChild(t,e){"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push({[t.tagname]:t.child,":@":t[":@"]}):this.child.push({[t.tagname]:t.child}),void 0!==e&&(this.child[this.child.length-1][P]={startIndex:e})}static getMetaDataSymbol(){return P}}class ${constructor(t){this.suppressValidationErr=!t,this.options=t}readDocType(t,e){const n=Object.create(null);let i=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");{e+=9;let s=1,r=!1,o=!1,a="";for(;e"===t[e]){if(o?"-"===t[e-1]&&"-"===t[e-2]&&(o=!1,s--):s--,0===s)break}else"["===t[e]?r=!0:a+=t[e];else{if(r&&D(t,"!ENTITY",e)){let s,r;if(e+=7,[s,r,e]=this.readEntityExp(t,e+1,this.suppressValidationErr),-1===r.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&i>=this.options.maxEntityCount)throw new Error(`Entity count (${i+1}) exceeds maximum allowed (${this.options.maxEntityCount})`);n[s]=r,i++}}else if(r&&D(t,"!ELEMENT",e)){e+=8;const{index:n}=this.readElementExp(t,e+1);e=n}else if(r&&D(t,"!ATTLIST",e))e+=8;else if(r&&D(t,"!NOTATION",e)){e+=9;const{index:n}=this.readNotationExp(t,e+1,this.suppressValidationErr);e=n}else{if(!D(t,"!--",e))throw new Error("Invalid DOCTYPE");o=!0}s++,a=""}if(0!==s)throw new Error("Unclosed DOCTYPE")}return{entities:n,i:e}}readEntityExp(t,e){const n=e=I(t,e);for(;ethis.options.maxEntitySize)throw new Error(`Entity "${i}" size (${s.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);return[i,s,--e]}readNotationExp(t,e){const n=e=I(t,e);for(;e{for(;e0?t[t.length-1].tag:void 0}getCurrentNamespace(){const t=this._matcher.path;return t.length>0?t[t.length-1].namespace:void 0}getAttrValue(t){const e=this._matcher.path;if(0!==e.length)return e[e.length-1].values?.[t]}hasAttr(t){const e=this._matcher.path;if(0===e.length)return!1;const n=e[e.length-1];return void 0!==n.values&&t in n.values}getPosition(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].position??0}getCounter(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this._matcher.path.length}toString(t,e=!0){return this._matcher.toString(t,e)}toArray(){return this._matcher.path.map(t=>t.tag)}matches(t){return this._matcher.matches(t)}matchesAny(t){return t.matchesAny(this._matcher)}}class R{constructor(t={}){this.separator=t.separator||".",this.path=[],this.siblingStacks=[],this._pathStringCache=null,this._view=new F(this)}push(t,e=null,n=null){this._pathStringCache=null,this.path.length>0&&(this.path[this.path.length-1].values=void 0);const i=this.path.length;this.siblingStacks[i]||(this.siblingStacks[i]=new Map);const s=this.siblingStacks[i],r=n?`${n}:${t}`:t,o=s.get(r)||0;let a=0;for(const t of s.values())a+=t;s.set(r,o+1);const h={tag:t,position:a,counter:o};null!=n&&(h.namespace=n),null!=e&&(h.values=e),this.path.push(h)}pop(){if(0===this.path.length)return;this._pathStringCache=null;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0!==this.path.length)return this.path[this.path.length-1].values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const n=t||this.separator;if(n===this.separator&&!0===e){if(null!==this._pathStringCache)return this._pathStringCache;const t=this.path.map(t=>t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(n);return this._pathStringCache=t,t}return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(n)}toArray(){return this.path.map(t=>t.tag)}reset(){this._pathStringCache=null,this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e=0&&e>=0;){const i=t[n];if("deep-wildcard"===i.type){if(n--,n<0)return!0;const i=t[n];let s=!1;for(let t=e;t>=0;t--)if(this._matchSegment(i,this.path[t],t===this.path.length-1)){e=t-1,n--,s=!0;break}if(!s)return!1}else{if(!this._matchSegment(i,this.path[e],e===this.path.length-1))return!1;e--,n--}}return n<0}_matchSegment(t,e,n){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!n)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue&&String(e.values[t.attrName])!==String(t.attrValue))return!1}if(void 0!==t.position){if(!n)return!1;const i=e.counter??0;if("first"===t.position&&0!==i)return!1;if("odd"===t.position&&i%2!=1)return!1;if("even"===t.position&&i%2!=0)return!1;if("nth"===t.position&&i!==t.positionValue)return!1}return!0}matchesAny(t){return t.matchesAny(this)}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this._pathStringCache=null,this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return this._view}}class G{constructor(t,e={},n){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this.data=n,this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let n=0,i="";for(;n",lt:"<",quot:'"'},X={nbsp:" ",copy:"©",reg:"®",trade:"™",mdash:"—",ndash:"–",hellip:"…",laquo:"«",raquo:"»",lsquo:"‘",rsquo:"’",ldquo:"“",rdquo:"”",bull:"•",para:"¶",sect:"§",deg:"°",frac12:"½",frac14:"¼",frac34:"¾"},Y=new Set("!?\\\\/[]$%{}^&*()<>|+");function z(t){if("#"===t[0])throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${t}"`);for(const e of t)if(Y.has(e))throw new Error(`[EntityReplacer] Invalid character '${e}' in entity name: "${t}"`);return t}function q(...t){const e=Object.create(null);for(const n of t)if(n)for(const t of Object.keys(n)){const i=n[t];if("string"==typeof i)e[t]=i;else if(i&&"object"==typeof i&&void 0!==i.val){const n=i.val;"string"==typeof n&&(e[t]=n)}}return e}const Z="external",J="base",K="all",Q=Object.freeze({allow:0,leave:1,remove:2,throw:3}),H=new Set([9,10,13]);class tt{constructor(t={}){var e;this._limit=t.limit||{},this._maxTotalExpansions=this._limit.maxTotalExpansions||0,this._maxExpandedLength=this._limit.maxExpandedLength||0,this._postCheck="function"==typeof t.postCheck?t.postCheck:t=>t,this._limitTiers=(e=this._limit.applyLimitsTo??Z)&&e!==Z?e===K?new Set([K]):e===J?new Set([J]):Array.isArray(e)?new Set(e):new Set([Z]):new Set([Z]),this._numericAllowed=t.numericAllowed??!0,this._baseMap=q(W,t.namedEntities||null),this._externalMap=Object.create(null),this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this._removeSet=new Set(t.remove&&Array.isArray(t.remove)?t.remove:[]),this._leaveSet=new Set(t.leave&&Array.isArray(t.leave)?t.leave:[]);const n=function(t){if(!t)return{xmlVersion:1,onLevel:Q.allow,nullLevel:Q.remove};const e=1.1===t.xmlVersion?1.1:1,n=Q[t.onNCR]??Q.allow,i=Q[t.nullNCR]??Q.remove;return{xmlVersion:e,onLevel:n,nullLevel:Math.max(i,Q.remove)}}(t.ncr);this._ncrXmlVersion=n.xmlVersion,this._ncrOnLevel=n.onLevel,this._ncrNullLevel=n.nullLevel}setExternalEntities(t){if(t)for(const e of Object.keys(t))z(e);this._externalMap=q(t)}addExternalEntity(t,e){z(t),"string"==typeof e&&-1===e.indexOf("&")&&(this._externalMap[t]=e)}addInputEntities(t){this._totalExpansions=0,this._expandedLength=0,this._inputMap=q(t)}reset(){return this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this}setXmlVersion(t){this._ncrXmlVersion=1.1===t?1.1:1}decode(t){if("string"!=typeof t||0===t.length)return t;const e=t,n=[],i=t.length;let s=0,r=0;const o=this._maxTotalExpansions>0,a=this._maxExpandedLength>0,h=o||a;for(;r=i||59!==t.charCodeAt(e)){r++;continue}const l=t.slice(r+1,e);if(0===l.length){r++;continue}let u,p;if(this._removeSet.has(l))u="",void 0===p&&(p=Z);else{if(this._leaveSet.has(l)){r++;continue}if(35===l.charCodeAt(0)){const t=this._resolveNCR(l);if(void 0===t){r++;continue}u=t,p=J}else{const t=this._resolveName(l);u=t?.value,p=t?.tier}}if(void 0!==u){if(r>s&&n.push(t.slice(s,r)),n.push(u),s=e+1,r=s,h&&this._tierCounts(p)){if(o&&(this._totalExpansions++,this._totalExpansions>this._maxTotalExpansions))throw new Error(`[EntityReplacer] Entity expansion count limit exceeded: ${this._totalExpansions} > ${this._maxTotalExpansions}`);if(a){const t=u.length-(l.length+2);if(t>0&&(this._expandedLength+=t,this._expandedLength>this._maxExpandedLength))throw new Error(`[EntityReplacer] Expanded content length limit exceeded: ${this._expandedLength} > ${this._maxExpandedLength}`)}}}else r++}s=55296&&t<=57343||1===this._ncrXmlVersion&&t>=1&&t<=31&&!H.has(t)?Q.remove:-1}_applyNCRAction(t,e,n){switch(t){case Q.allow:return String.fromCodePoint(n);case Q.remove:return"";case Q.leave:return;case Q.throw:throw new Error(`[EntityDecoder] Prohibited numeric character reference &${e}; (U+${n.toString(16).toUpperCase().padStart(4,"0")})`);default:return String.fromCodePoint(n)}}_resolveNCR(t){const e=t.charCodeAt(1);let n;if(n=120===e||88===e?parseInt(t.slice(2),16):parseInt(t.slice(1),10),Number.isNaN(n)||n<0||n>1114111)return;const i=this._classifyNCR(n);if(!this._numericAllowed&&i0){const n=t.substring(0,e);if("xmlns"!==n)return n}}class it{constructor(t,e){var n;this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.parseXml=ht,this.parseTextData=st,this.resolveNameSpace=rt,this.buildAttributesMap=at,this.isItStopNode=ct,this.replaceEntitiesValue=ut,this.readStopNodeData=mt,this.saveTextToParentTag=pt,this.addChild=lt,this.ignoreAttributesFn="function"==typeof(n=this.options.ignoreAttributes)?n:Array.isArray(n)?t=>{for(const e of n){if("string"==typeof e&&t===e)return!0;if(e instanceof RegExp&&e.test(t))return!0}}:()=>!1,this.entityExpansionCount=0,this.currentExpandedLength=0;let i={...W};this.options.entityDecoder?this.entityDecoder=this.options.entityDecoder:("object"==typeof this.options.htmlEntities?i=this.options.htmlEntities:!0===this.options.htmlEntities&&(i={...X,...U}),this.entityDecoder=new tt({namedEntities:{...i,...e},numericAllowed:this.options.htmlEntities,limit:{maxTotalExpansions:this.options.processEntities.maxTotalExpansions,maxExpandedLength:this.options.processEntities.maxExpandedLength,applyLimitsTo:this.options.processEntities.appliesTo}})),this.matcher=new R,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.stopNodeExpressionsSet=new B;const s=this.options.stopNodes;if(s&&s.length>0){for(let t=0;t0)){o||(t=this.replaceEntitiesValue(t,e,n));const i=a.jPath?n.toString():n,h=a.tagValueProcessor(e,t,i,s,r);return null==h?t:typeof h!=typeof t||h!==t?h:a.trimValues||t.trim()===t?xt(t,a.parseTagValue,a.numberParseOptions):t}}function rt(t){if(this.options.removeNSPrefix){const e=t.split(":"),n="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=n+e[1])}return t}const ot=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function at(t,e,n,i=!1){const r=this.options;if(!0===i||!0!==r.ignoreAttributes&&"string"==typeof t){const i=s(t,ot),o=i.length,a={},h=new Array(o);let l=!1;const u={};for(let t=0;t",a,"Closing Tag is not closed.");let r=t.substring(a+2,e).trim();if(s.removeNSPrefix){const t=r.indexOf(":");-1!==t&&(r=r.substr(t+1))}r=Nt(s.transformTagName,r,"",s).tagName,n&&(i=this.saveTextToParentTag(i,n,this.readonlyMatcher));const o=this.matcher.getCurrentTag();if(r&&s.unpairedTagsSet.has(r))throw new Error(`Unpaired tag can not be used as closing tag: `);o&&s.unpairedTagsSet.has(o)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,n=this.tagsNodeStack.pop(),i="",a=e}else if(63===h){let e=gt(t,a,!1,"?>");if(!e)throw new Error("Pi Tag is not closed.");i=this.saveTextToParentTag(i,n,this.readonlyMatcher);const r=this.buildAttributesMap(e.tagExp,this.matcher,e.tagName,!0);if(r){const t=r[this.options.attributeNamePrefix+"version"];this.entityDecoder.setXmlVersion(Number(t)||1)}if(s.ignoreDeclaration&&"?xml"===e.tagName||s.ignorePiTags);else{const t=new O(e.tagName);t.add(s.textNodeName,""),e.tagName!==e.tagExp&&e.attrExpPresent&&!0!==s.ignoreAttributes&&(t[":@"]=r),this.addChild(n,t,this.readonlyMatcher,a)}a=e.closeIndex+1}else if(33===h&&45===t.charCodeAt(a+2)&&45===t.charCodeAt(a+3)){const e=dt(t,"--\x3e",a+4,"Comment is not closed.");if(s.commentPropName){const r=t.substring(a+4,e-2);i=this.saveTextToParentTag(i,n,this.readonlyMatcher),n.add(s.commentPropName,[{[s.textNodeName]:r}])}a=e}else if(33===h&&68===t.charCodeAt(a+2)){const e=r.readDocType(t,a);this.entityDecoder.addInputEntities(e.entities),a=e.i}else if(33===h&&91===t.charCodeAt(a+2)){const e=dt(t,"]]>",a,"CDATA is not closed.")-2,r=t.substring(a+9,e);i=this.saveTextToParentTag(i,n,this.readonlyMatcher);let o=this.parseTextData(r,n.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==o&&(o=""),s.cdataPropName?n.add(s.cdataPropName,[{[s.textNodeName]:r}]):n.add(s.textNodeName,o),a=e+2}else{let r=gt(t,a,s.removeNSPrefix);if(!r){const e=t.substring(Math.max(0,a-50),Math.min(o,a+50));throw new Error(`readTagExp returned undefined at position ${a}. Context: "${e}"`)}let h=r.tagName;const l=r.rawTagName;let u=r.tagExp,p=r.attrExpPresent,c=r.closeIndex;if(({tagName:h,tagExp:u}=Nt(s.transformTagName,h,u,s)),s.strictReservedNames&&(h===s.commentPropName||h===s.cdataPropName||h===s.textNodeName||h===s.attributesGroupName))throw new Error(`Invalid tag name: ${h}`);n&&i&&"!xml"!==n.tagname&&(i=this.saveTextToParentTag(i,n,this.readonlyMatcher,!1));const d=n;d&&s.unpairedTagsSet.has(d.tagname)&&(n=this.tagsNodeStack.pop(),this.matcher.pop());let f=!1;u.length>0&&u.lastIndexOf("/")===u.length-1&&(f=!0,"/"===h[h.length-1]?(h=h.substr(0,h.length-1),u=h):u=u.substr(0,u.length-1),p=h!==u);let g,m=null,x={};g=nt(l),h!==e.tagname&&this.matcher.push(h,{},g),h!==u&&p&&(m=this.buildAttributesMap(u,this.matcher,h),m&&(x=et(m,s))),h!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode());const N=a;if(this.isCurrentNodeStopNode){let e="";if(f)a=r.closeIndex;else if(s.unpairedTagsSet.has(h))a=r.closeIndex;else{const n=this.readStopNodeData(t,l,c+1);if(!n)throw new Error(`Unexpected end of ${l}`);a=n.i,e=n.tagContent}const i=new O(h);m&&(i[":@"]=m),i.add(s.textNodeName,e),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(n,i,this.readonlyMatcher,N)}else{if(f){({tagName:h,tagExp:u}=Nt(s.transformTagName,h,u,s));const t=new O(h);m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(s.unpairedTagsSet.has(h)){const t=new O(h);m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),this.matcher.pop(),this.isCurrentNodeStopNode=!1,a=r.closeIndex;continue}{const t=new O(h);if(this.tagsNodeStack.length>s.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(n),m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),n=t}}i="",a=c}}}else i+=t[a];return e.child};function lt(t,e,n,i){this.options.captureMetaData||(i=void 0);const s=this.options.jPath?n.toString():n,r=this.options.updateTag(e.tagname,s,e[":@"]);!1===r||("string"==typeof r?(e.tagname=r,t.addChild(e,i)):t.addChild(e,i))}function ut(t,e,n){const i=this.options.processEntities;if(!i||!i.enabled)return t;if(i.allowedTags){const s=this.options.jPath?n.toString():n;if(!(Array.isArray(i.allowedTags)?i.allowedTags.includes(e):i.allowedTags(e,s)))return t}if(i.tagFilter){const s=this.options.jPath?n.toString():n;if(!i.tagFilter(e,s))return t}return this.entityDecoder.decode(t)}function pt(t,e,n,i){return t&&(void 0===i&&(i=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,n,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,i))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function ct(){return 0!==this.stopNodeExpressionsSet.size&&this.matcher.matchesAny(this.stopNodeExpressionsSet)}function dt(t,e,n,i){const s=t.indexOf(e,n);if(-1===s)throw new Error(i);return s+e.length-1}function ft(t,e,n,i){const s=t.indexOf(e,n);if(-1===s)throw new Error(i);return s}function gt(t,e,n,i=">"){const s=function(t,e,n=">"){let i=0;const s=t.length,r=n.charCodeAt(0),o=n.length>1?n.charCodeAt(1):-1;let a="",h=e;for(let n=e;n",n,`${e} is not closed`);if(t.substring(n+2,r).trim()===e&&(s--,0===s))return{tagContent:t.substring(i,n),i:r};n=r}else if(63===r)n=dt(t,"?>",n+1,"StopNode is not closed.");else if(33===r&&45===t.charCodeAt(n+2)&&45===t.charCodeAt(n+3))n=dt(t,"--\x3e",n+3,"StopNode is not closed.");else if(33===r&&91===t.charCodeAt(n+2))n=dt(t,"]]>",n,"StopNode is not closed.")-2;else{const i=gt(t,n,">");i&&((i&&i.tagName)===e&&"/"!==i.tagExp[i.tagExp.length-1]&&s++,n=i.closeIndex)}}}function xt(t,e,n){if(e&&"string"==typeof t){const e=t.trim();return"true"===e||"false"!==e&&function(t,e={}){if(e=Object.assign({},L,e),!t||"string"!=typeof t)return t;let n=t.trim();if(0===n.length)return t;if(void 0!==e.skipLike&&e.skipLike.test(n))return t;if("0"===n)return 0;if(e.hex&&j.test(n))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(n);if(isFinite(n)){if(n.includes("e")||n.includes("E"))return function(t,e,n){if(!n.eNotation)return t;const i=e.match(k);if(i){let s=i[1]||"";const r=-1===i[3].indexOf("e")?"E":"e",o=i[2],a=s?t[o.length+1]===r:t[o.length]===r;return o.length>1&&a?t:(1!==o.length||!i[3].startsWith(`.${r}`)&&i[3][0]!==r)&&o.length>0?n.leadingZeros&&!a?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,n,e);{const s=V.exec(n);if(s){const r=s[1]||"",o=s[2];let a=(i=s[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const h=r?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!h))return t;{const i=Number(n),s=String(i);if(0===i)return i;if(-1!==s.search(/[eE]/))return e.eNotation?i:t;if(-1!==n.indexOf("."))return"0"===s||s===a||s===`${r}${a}`?i:t;let h=o?a:n;return o?h===s||r+h===s?i:t:h===s||h===r+s?i:t}}return t}}var i;return function(t,e,n){const i=e===1/0;switch(n.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return i?"Infinity":"-Infinity";default:return t}}(t,Number(n),e)}(t,n)}return void 0!==t?t:""}function Nt(t,e,n,i){if(t){const i=t(e);n===e&&(n=i),e=i}return{tagName:e=bt(e,i),tagExp:n}}function bt(t,e){if(a.includes(t))throw new Error(`[SECURITY] Invalid name: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);return o.includes(t)?e.onDangerousProperty(t):t}const yt=O.getMetaDataSymbol();function Et(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;const n={};for(const i in t)i.startsWith(e)?n[i.substring(e.length)]=t[i]:n[i]=t[i];return n}function wt(t,e,n,i){return vt(t,e,n,i)}function vt(t,e,n,i){let s;const r={};for(let o=0;o0&&(r[e.textNodeName]=s):void 0!==s&&(r[e.textNodeName]=s),r}function St(t){const e=Object.keys(t);for(let t=0;t0&&(n="\n");const i=[];if(e.stopNodes&&Array.isArray(e.stopNodes))for(let t=0;te.maxNestedTags)throw new Error("Maximum nested tags exceeded");if(!Array.isArray(t)){if(null!=t){let n=t.toString();return n=Vt(n,e),n}return""}for(let a=0;a/g,"]]]]>")}]]>`,o=!1,i.pop();continue}if(l===e.commentPropName){const t=h[l][0][e.textNodeName];r+=n+`\x3c!--${String(t).replace(/--/g,"- -").replace(/-$/,"- ")}--\x3e`,o=!0,i.pop();continue}if("?"===l[0]){const t=Mt(h[":@"],e,p),s="?xml"===l?"":n;let a=h[l][0][e.textNodeName];a=0!==a.length?" "+a:"",r+=s+`<${l}${a}${t}?>`,o=!0,i.pop();continue}let c=n;""!==c&&(c+=e.indentBy);const d=n+`<${l}${Mt(h[":@"],e,p)}`;let f;f=p?$t(h[l],e):Pt(h[l],e,c,i,s),-1!==e.unpairedTags.indexOf(l)?e.suppressUnpairedNode?r+=d+">":r+=d+"/>":f&&0!==f.length||!e.suppressEmptyNode?f&&f.endsWith(">")?r+=d+`>${f}${n}`:(r+=d+">",f&&""!==n&&(f.includes("/>")||f.includes("`):r+=d+"/>",o=!0,i.pop()}return r}function Ot(t,e){if(!t||e.ignoreAttributes)return null;const n={};let i=!1;for(let s in t)Object.prototype.hasOwnProperty.call(t,s)&&(n[s.startsWith(e.attributeNamePrefix)?s.substr(e.attributeNamePrefix.length):s]=t[s],i=!0);return i?n:null}function $t(t,e){if(!Array.isArray(t))return null!=t?t.toString():"";let n="";for(let i=0;i${i}`:n+=`<${r}${t}/>`}}}return n}function It(t,e){let n="";if(t&&!e.ignoreAttributes)for(let i in t){if(!Object.prototype.hasOwnProperty.call(t,i))continue;let s=t[i];!0===s&&e.suppressBooleanAttributes?n+=` ${i.substr(e.attributeNamePrefix.length)}`:n+=` ${i.substr(e.attributeNamePrefix.length)}="${s}"`}return n}function Dt(t){const e=Object.keys(t);for(let n=0;n0&&e.processEntities)for(let n=0;n","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1,maxNestedTags:100,jPath:!0};function kt(t){if(this.options=Object.assign({},Lt,t),this.options.stopNodes&&Array.isArray(this.options.stopNodes)&&(this.options.stopNodes=this.options.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),this.stopNodeExpressions=[],this.options.stopNodes&&Array.isArray(this.options.stopNodes))for(let t=0;t{for(const n of e){if("string"==typeof n&&t===n)return!0;if(n instanceof RegExp&&n.test(t))return!0}}:()=>!1,this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=Gt),this.processTextOrObjNode=Ft,this.options.format?(this.indentate=Rt,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function Ft(t,e,n,i){const s=this.extractAttributes(t);if(i.push(e,s),this.checkStopNode(i)){const s=this.buildRawContent(t),r=this.buildAttributesForStopNode(t);return i.pop(),this.buildObjectNode(s,e,r,n)}const r=this.j2x(t,n+1,i);return i.pop(),void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,r.attrStr,n,i):this.buildObjectNode(r.val,e,r.attrStr,n)}function Rt(t){return this.options.indentBy.repeat(t)}function Gt(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}kt.prototype.build=function(t){if(this.options.preserveOrder)return Ct(t,this.options);{Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&(t={[this.options.arrayNodeName]:t});const e=new R;return this.j2x(t,0,e).val}},kt.prototype.j2x=function(t,e,n){let i="",s="";if(this.options.maxNestedTags&&n.getDepth()>=this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");const r=this.options.jPath?n.toString():n,o=this.checkStopNode(n);for(let a in t)if(Object.prototype.hasOwnProperty.call(t,a))if(void 0===t[a])this.isAttribute(a)&&(s+="");else if(null===t[a])this.isAttribute(a)||a===this.options.cdataPropName?s+="":"?"===a[0]?s+=this.indentate(e)+"<"+a+"?"+this.tagEndChar:s+=this.indentate(e)+"<"+a+"/"+this.tagEndChar;else if(t[a]instanceof Date)s+=this.buildTextValNode(t[a],a,"",e,n);else if("object"!=typeof t[a]){const h=this.isAttribute(a);if(h&&!this.ignoreAttributesFn(h,r))i+=this.buildAttrPairStr(h,""+t[a],o);else if(!h)if(a===this.options.textNodeName){let e=this.options.tagValueProcessor(a,""+t[a]);s+=this.replaceEntitiesValue(e)}else{n.push(a);const i=this.checkStopNode(n);if(n.pop(),i){const n=""+t[a];s+=""===n?this.indentate(e)+"<"+a+this.closeTag(a)+this.tagEndChar:this.indentate(e)+"<"+a+">"+n+""+t+"${t}`;else if("object"==typeof t&&null!==t){const i=this.buildRawContent(t),s=this.buildAttributesForStopNode(t);e+=""===i?`<${n}${s}/>`:`<${n}${s}>${i}`}}else if("object"==typeof i&&null!==i){const t=this.buildRawContent(i),s=this.buildAttributesForStopNode(i);e+=""===t?`<${n}${s}/>`:`<${n}${s}>${t}`}else e+=`<${n}>${i}`}return e},kt.prototype.buildAttributesForStopNode=function(t){if(!t||"object"!=typeof t)return"";let e="";if(this.options.attributesGroupName&&t[this.options.attributesGroupName]){const n=t[this.options.attributesGroupName];for(let t in n){if(!Object.prototype.hasOwnProperty.call(n,t))continue;const i=t.startsWith(this.options.attributeNamePrefix)?t.substring(this.options.attributeNamePrefix.length):t,s=n[t];!0===s&&this.options.suppressBooleanAttributes?e+=" "+i:e+=" "+i+'="'+s+'"'}}else for(let n in t){if(!Object.prototype.hasOwnProperty.call(t,n))continue;const i=this.isAttribute(n);if(i){const s=t[n];!0===s&&this.options.suppressBooleanAttributes?e+=" "+i:e+=" "+i+'="'+s+'"'}}return e},kt.prototype.buildObjectNode=function(t,e,n,i){if(""===t)return"?"===e[0]?this.indentate(i)+"<"+e+n+"?"+this.tagEndChar:this.indentate(i)+"<"+e+n+this.closeTag(e)+this.tagEndChar;{let s=""+t+s}},kt.prototype.closeTag=function(t){let e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":`>/g,"]]]]>");return this.indentate(i)+``+this.newLine}if(!1!==this.options.commentPropName&&e===this.options.commentPropName){const e=String(t).replace(/--/g,"- -").replace(/-$/,"- ");return this.indentate(i)+`\x3c!--${e}--\x3e`+this.newLine}if("?"===e[0])return this.indentate(i)+"<"+e+n+"?"+this.tagEndChar;{let s=this.options.tagValueProcessor(e,t);return s=this.replaceEntitiesValue(s),""===s?this.indentate(i)+"<"+e+n+this.closeTag(e)+this.tagEndChar:this.indentate(i)+"<"+e+n+">"+s+"0&&this.options.processEntities)for(let e=0;e seg.type === 'deep-wildcard'); this._hasAttributeCondition = this.segments.some(seg => seg.attrName !== undefined); @@ -214502,56 +214502,206 @@ class Expression { } } ;// CONCATENATED MODULE: ./node_modules/path-expression-matcher/src/Matcher.js + + /** - * Matcher - Tracks current path in XML/JSON tree and matches against Expressions - * + * MatcherView - A lightweight read-only view over a Matcher's internal state. + * + * Created once by Matcher and reused across all callbacks. Holds a direct + * reference to the parent Matcher so it always reflects current parser state + * with zero copying or freezing overhead. + * + * Users receive this via {@link Matcher#readOnly} or directly from parser + * callbacks. It exposes all query and matching methods but has no mutation + * methods — misuse is caught at the TypeScript level rather than at runtime. + * + * @example + * const matcher = new Matcher(); + * const view = matcher.readOnly(); + * + * matcher.push("root", {}); + * view.getCurrentTag(); // "root" + * view.getDepth(); // 1 + */ +class MatcherView { + /** + * @param {Matcher} matcher - The parent Matcher instance to read from. + */ + constructor(matcher) { + this._matcher = matcher; + } + + /** + * Get the path separator used by the parent matcher. + * @returns {string} + */ + get separator() { + return this._matcher.separator; + } + + /** + * Get current tag name. + * @returns {string|undefined} + */ + getCurrentTag() { + const path = this._matcher.path; + return path.length > 0 ? path[path.length - 1].tag : undefined; + } + + /** + * Get current namespace. + * @returns {string|undefined} + */ + getCurrentNamespace() { + const path = this._matcher.path; + return path.length > 0 ? path[path.length - 1].namespace : undefined; + } + + /** + * Get current node's attribute value. + * @param {string} attrName + * @returns {*} + */ + getAttrValue(attrName) { + const path = this._matcher.path; + if (path.length === 0) return undefined; + return path[path.length - 1].values?.[attrName]; + } + + /** + * Check if current node has an attribute. + * @param {string} attrName + * @returns {boolean} + */ + hasAttr(attrName) { + const path = this._matcher.path; + if (path.length === 0) return false; + const current = path[path.length - 1]; + return current.values !== undefined && attrName in current.values; + } + + /** + * Get current node's sibling position (child index in parent). + * @returns {number} + */ + getPosition() { + const path = this._matcher.path; + if (path.length === 0) return -1; + return path[path.length - 1].position ?? 0; + } + + /** + * Get current node's repeat counter (occurrence count of this tag name). + * @returns {number} + */ + getCounter() { + const path = this._matcher.path; + if (path.length === 0) return -1; + return path[path.length - 1].counter ?? 0; + } + + /** + * Get current node's sibling index (alias for getPosition). + * @returns {number} + * @deprecated Use getPosition() or getCounter() instead + */ + getIndex() { + return this.getPosition(); + } + + /** + * Get current path depth. + * @returns {number} + */ + getDepth() { + return this._matcher.path.length; + } + + /** + * Get path as string. + * @param {string} [separator] - Optional separator (uses default if not provided) + * @param {boolean} [includeNamespace=true] + * @returns {string} + */ + toString(separator, includeNamespace = true) { + return this._matcher.toString(separator, includeNamespace); + } + + /** + * Get path as array of tag names. + * @returns {string[]} + */ + toArray() { + return this._matcher.path.map(n => n.tag); + } + + /** + * Match current path against an Expression. + * @param {Expression} expression + * @returns {boolean} + */ + matches(expression) { + return this._matcher.matches(expression); + } + + /** + * Match any expression in the given set against the current path. + * @param {ExpressionSet} exprSet + * @returns {boolean} + */ + matchesAny(exprSet) { + return exprSet.matchesAny(this._matcher); + } +} + +/** + * Matcher - Tracks current path in XML/JSON tree and matches against Expressions. + * * The matcher maintains a stack of nodes representing the current path from root to * current tag. It only stores attribute values for the current (top) node to minimize * memory usage. Sibling tracking is used to auto-calculate position and counter. - * + * + * Use {@link Matcher#readOnly} to obtain a {@link MatcherView} safe to pass to + * user callbacks — it always reflects current state with no Proxy overhead. + * * @example * const matcher = new Matcher(); * matcher.push("root", {}); * matcher.push("users", {}); * matcher.push("user", { id: "123", type: "admin" }); - * + * * const expr = new Expression("root.users.user"); * matcher.matches(expr); // true */ - -/** - * Names of methods that mutate Matcher state. - * Any attempt to call these on a read-only view throws a TypeError. - * @type {Set} - */ -const MUTATING_METHODS = new Set(['push', 'pop', 'reset', 'updateCurrent', 'restore']); - class Matcher { /** - * Create a new Matcher - * @param {Object} options - Configuration options - * @param {string} options.separator - Default path separator (default: '.') + * Create a new Matcher. + * @param {Object} [options={}] + * @param {string} [options.separator='.'] - Default path separator */ constructor(options = {}) { this.separator = options.separator || '.'; this.path = []; this.siblingStacks = []; - // Each path node: { tag: string, values: object, position: number, counter: number } + // Each path node: { tag, values, position, counter, namespace? } // values only present for current (last) node // Each siblingStacks entry: Map tracking occurrences at each level + this._pathStringCache = null; + this._view = new MatcherView(this); } /** - * Push a new tag onto the path - * @param {string} tagName - Name of the tag - * @param {Object} attrValues - Attribute key-value pairs for current node (optional) - * @param {string} namespace - Namespace for the tag (optional) + * Push a new tag onto the path. + * @param {string} tagName + * @param {Object|null} [attrValues=null] + * @param {string|null} [namespace=null] */ push(tagName, attrValues = null, namespace = null) { + this._pathStringCache = null; + // Remove values from previous current node (now becoming ancestor) if (this.path.length > 0) { - const prev = this.path[this.path.length - 1]; - prev.values = undefined; + this.path[this.path.length - 1].values = undefined; } // Get or create sibling tracking for current level @@ -214584,12 +214734,10 @@ class Matcher { counter: counter }; - // Store namespace if provided if (namespace !== null && namespace !== undefined) { node.namespace = namespace; } - // Store values only for current node if (attrValues !== null && attrValues !== undefined) { node.values = attrValues; } @@ -214598,19 +214746,15 @@ class Matcher { } /** - * Pop the last tag from the path + * Pop the last tag from the path. * @returns {Object|undefined} The popped node */ pop() { - if (this.path.length === 0) { - return undefined; - } + if (this.path.length === 0) return undefined; + this._pathStringCache = null; const node = this.path.pop(); - // Clean up sibling tracking for levels deeper than current - // After pop, path.length is the new depth - // We need to clean up siblingStacks[path.length + 1] and beyond if (this.siblingStacks.length > this.path.length + 1) { this.siblingStacks.length = this.path.length + 1; } @@ -214619,9 +214763,9 @@ class Matcher { } /** - * Update current node's attribute values - * Useful when attributes are parsed after push - * @param {Object} attrValues - Attribute values + * Update current node's attribute values. + * Useful when attributes are parsed after push. + * @param {Object} attrValues */ updateCurrent(attrValues) { if (this.path.length > 0) { @@ -214633,7 +214777,7 @@ class Matcher { } /** - * Get current tag name + * Get current tag name. * @returns {string|undefined} */ getCurrentTag() { @@ -214641,7 +214785,7 @@ class Matcher { } /** - * Get current namespace + * Get current namespace. * @returns {string|undefined} */ getCurrentNamespace() { @@ -214649,19 +214793,18 @@ class Matcher { } /** - * Get current node's attribute value - * @param {string} attrName - Attribute name - * @returns {*} Attribute value or undefined + * Get current node's attribute value. + * @param {string} attrName + * @returns {*} */ getAttrValue(attrName) { if (this.path.length === 0) return undefined; - const current = this.path[this.path.length - 1]; - return current.values?.[attrName]; + return this.path[this.path.length - 1].values?.[attrName]; } /** - * Check if current node has an attribute - * @param {string} attrName - Attribute name + * Check if current node has an attribute. + * @param {string} attrName * @returns {boolean} */ hasAttr(attrName) { @@ -214671,7 +214814,7 @@ class Matcher { } /** - * Get current node's sibling position (child index in parent) + * Get current node's sibling position (child index in parent). * @returns {number} */ getPosition() { @@ -214680,7 +214823,7 @@ class Matcher { } /** - * Get current node's repeat counter (occurrence count of this tag name) + * Get current node's repeat counter (occurrence count of this tag name). * @returns {number} */ getCounter() { @@ -214689,7 +214832,7 @@ class Matcher { } /** - * Get current node's sibling index (alias for getPosition for backward compatibility) + * Get current node's sibling index (alias for getPosition). * @returns {number} * @deprecated Use getPosition() or getCounter() instead */ @@ -214698,7 +214841,7 @@ class Matcher { } /** - * Get current path depth + * Get current path depth. * @returns {number} */ getDepth() { @@ -214706,23 +214849,33 @@ class Matcher { } /** - * Get path as string - * @param {string} separator - Optional separator (uses default if not provided) - * @param {boolean} includeNamespace - Whether to include namespace in output (default: true) + * Get path as string. + * @param {string} [separator] - Optional separator (uses default if not provided) + * @param {boolean} [includeNamespace=true] * @returns {string} */ toString(separator, includeNamespace = true) { const sep = separator || this.separator; - return this.path.map(n => { - if (includeNamespace && n.namespace) { - return `${n.namespace}:${n.tag}`; + const isDefault = (sep === this.separator && includeNamespace === true); + + if (isDefault) { + if (this._pathStringCache !== null) { + return this._pathStringCache; } - return n.tag; - }).join(sep); + const result = this.path.map(n => + (n.namespace) ? `${n.namespace}:${n.tag}` : n.tag + ).join(sep); + this._pathStringCache = result; + return result; + } + + return this.path.map(n => + (includeNamespace && n.namespace) ? `${n.namespace}:${n.tag}` : n.tag + ).join(sep); } /** - * Get path as array of tag names + * Get path as array of tag names. * @returns {string[]} */ toArray() { @@ -214730,17 +214883,18 @@ class Matcher { } /** - * Reset the path to empty + * Reset the path to empty. */ reset() { + this._pathStringCache = null; this.path = []; this.siblingStacks = []; } /** - * Match current path against an Expression - * @param {Expression} expression - The expression to match against - * @returns {boolean} True if current path matches the expression + * Match current path against an Expression. + * @param {Expression} expression + * @returns {boolean} */ matches(expression) { const segments = expression.segments; @@ -214749,32 +214903,23 @@ class Matcher { return false; } - // Handle deep wildcard patterns if (expression.hasDeepWildcard()) { return this._matchWithDeepWildcard(segments); } - // Simple path matching (no deep wildcards) return this._matchSimple(segments); } /** - * Match simple path (no deep wildcards) * @private */ _matchSimple(segments) { - // Path must be same length as segments if (this.path.length !== segments.length) { return false; } - // Match each segment bottom-to-top for (let i = 0; i < segments.length; i++) { - const segment = segments[i]; - const node = this.path[i]; - const isCurrentNode = (i === this.path.length - 1); - - if (!this._matchSegment(segment, node, isCurrentNode)) { + if (!this._matchSegment(segments[i], this.path[i], i === this.path.length - 1)) { return false; } } @@ -214783,32 +214928,27 @@ class Matcher { } /** - * Match path with deep wildcards * @private */ _matchWithDeepWildcard(segments) { - let pathIdx = this.path.length - 1; // Start from current node (bottom) - let segIdx = segments.length - 1; // Start from last segment + let pathIdx = this.path.length - 1; + let segIdx = segments.length - 1; while (segIdx >= 0 && pathIdx >= 0) { const segment = segments[segIdx]; if (segment.type === 'deep-wildcard') { - // ".." matches zero or more levels segIdx--; if (segIdx < 0) { - // Pattern ends with "..", always matches return true; } - // Find where next segment matches in the path const nextSeg = segments[segIdx]; let found = false; for (let i = pathIdx; i >= 0; i--) { - const isCurrentNode = (i === this.path.length - 1); - if (this._matchSegment(nextSeg, this.path[i], isCurrentNode)) { + if (this._matchSegment(nextSeg, this.path[i], i === this.path.length - 1)) { pathIdx = i - 1; segIdx--; found = true; @@ -214820,9 +214960,7 @@ class Matcher { return false; } } else { - // Regular segment - const isCurrentNode = (pathIdx === this.path.length - 1); - if (!this._matchSegment(segment, this.path[pathIdx], isCurrentNode)) { + if (!this._matchSegment(segment, this.path[pathIdx], pathIdx === this.path.length - 1)) { return false; } pathIdx--; @@ -214830,38 +214968,25 @@ class Matcher { } } - // All segments must be consumed return segIdx < 0; } /** - * Match a single segment against a node * @private - * @param {Object} segment - Segment from Expression - * @param {Object} node - Node from path - * @param {boolean} isCurrentNode - Whether this is the current (last) node - * @returns {boolean} */ _matchSegment(segment, node, isCurrentNode) { - // Match tag name (* is wildcard) if (segment.tag !== '*' && segment.tag !== node.tag) { return false; } - // Match namespace if specified in segment if (segment.namespace !== undefined) { - // Segment has namespace - node must match it if (segment.namespace !== '*' && segment.namespace !== node.namespace) { return false; } } - // If segment has no namespace, it matches nodes with or without namespace - // Match attribute name (check if node has this attribute) - // Can only check for current node since ancestors don't have values if (segment.attrName !== undefined) { if (!isCurrentNode) { - // Can't check attributes for ancestor nodes (values not stored) return false; } @@ -214869,20 +214994,15 @@ class Matcher { return false; } - // Match attribute value (only possible for current node) if (segment.attrValue !== undefined) { - const actualValue = node.values[segment.attrName]; - // Both should be strings - if (String(actualValue) !== String(segment.attrValue)) { + if (String(node.values[segment.attrName]) !== String(segment.attrValue)) { return false; } } } - // Match position (only for current node) if (segment.position !== undefined) { if (!isCurrentNode) { - // Can't check position for ancestor nodes return false; } @@ -214894,10 +215014,8 @@ class Matcher { return false; } else if (segment.position === 'even' && counter % 2 !== 0) { return false; - } else if (segment.position === 'nth') { - if (counter !== segment.positionValue) { - return false; - } + } else if (segment.position === 'nth' && counter !== segment.positionValue) { + return false; } } @@ -214905,8 +215023,17 @@ class Matcher { } /** - * Create a snapshot of current state - * @returns {Object} State snapshot + * Match any expression in the given set against the current path. + * @param {ExpressionSet} exprSet + * @returns {boolean} + */ + matchesAny(exprSet) { + return exprSet.matchesAny(this); + } + + /** + * Create a snapshot of current state. + * @returns {Object} */ snapshot() { return { @@ -214916,88 +215043,33 @@ class Matcher { } /** - * Restore state from snapshot - * @param {Object} snapshot - State snapshot + * Restore state from snapshot. + * @param {Object} snapshot */ restore(snapshot) { + this._pathStringCache = null; this.path = snapshot.path.map(node => ({ ...node })); this.siblingStacks = snapshot.siblingStacks.map(map => new Map(map)); } /** - * Return a read-only view of this matcher. + * Return the read-only {@link MatcherView} for this matcher. * - * The returned object exposes all query/inspection methods but throws a - * TypeError if any state-mutating method is called (`push`, `pop`, `reset`, - * `updateCurrent`, `restore`). Property reads (e.g. `.path`, `.separator`) - * are allowed but the returned arrays/objects are frozen so callers cannot - * mutate internal state through them either. + * The same instance is returned on every call — no allocation occurs. + * It always reflects the current parser state and is safe to pass to + * user callbacks without risk of accidental mutation. * - * @returns {ReadOnlyMatcher} A proxy that forwards read operations and blocks writes. + * @returns {MatcherView} * * @example - * const matcher = new Matcher(); - * matcher.push("root", {}); - * - * const ro = matcher.readOnly(); - * ro.matches(expr); // ✓ works - * ro.getCurrentTag(); // ✓ works - * ro.push("child", {}); // ✗ throws TypeError - * ro.reset(); // ✗ throws TypeError + * const view = matcher.readOnly(); + * // pass view to callbacks — it stays in sync automatically + * view.matches(expr); // ✓ + * view.getCurrentTag(); // ✓ + * // view.push(...) // ✗ method does not exist — caught by TypeScript */ readOnly() { - const self = this; - - return new Proxy(self, { - get(target, prop, receiver) { - // Block mutating methods - if (MUTATING_METHODS.has(prop)) { - return () => { - throw new TypeError( - `Cannot call '${prop}' on a read-only Matcher. ` + - `Obtain a writable instance to mutate state.` - ); - }; - } - - const value = Reflect.get(target, prop, receiver); - - // Freeze array/object properties so callers can't mutate internal - // state through direct property access (e.g. matcher.path.push(...)) - if (prop === 'path' || prop === 'siblingStacks') { - return Object.freeze( - Array.isArray(value) - ? value.map(item => - item instanceof Map - ? Object.freeze(new Map(item)) // freeze a copy of each Map - : Object.freeze({ ...item }) // freeze a copy of each node - ) - : value - ); - } - - // Bind methods so `this` inside them still refers to the real Matcher - if (typeof value === 'function') { - return value.bind(target); - } - - return value; - }, - - // Prevent any property assignment on the read-only view - set(_target, prop) { - throw new TypeError( - `Cannot set property '${String(prop)}' on a read-only Matcher.` - ); - }, - - // Prevent property deletion - deleteProperty(_target, prop) { - throw new TypeError( - `Cannot delete property '${String(prop)}' from a read-only Matcher.` - ); - } - }); + return this._view; } } ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/orderedJs2Xml.js @@ -215085,12 +215157,18 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { if (isPreviousElementTag) { xmlStr += indentation; } - xmlStr += ``; + const val = tagObj[tagName][0][options.textNodeName]; + const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + xmlStr += ``; isPreviousElementTag = false; matcher.pop(); continue; } else if (tagName === options.commentPropName) { - xmlStr += indentation + ``; + const val = tagObj[tagName][0][options.textNodeName] + const safeVal = String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/-$/, '- '); // trailing - would form -- with the closing --> + xmlStr += indentation + ``; isPreviousElementTag = true; matcher.pop(); continue; @@ -215293,6 +215371,14 @@ function replaceEntitiesValue(textValue, options) { } return textValue; } + +function cdataVal(val) { + +} + +function commentVal(val) { + +} ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/ignoreAttributes.js function getIgnoreAttributesFn(ignoreAttributes) { if (typeof ignoreAttributes === 'function') { @@ -215801,9 +215887,13 @@ function buildEmptyObjNode(val, key, attrStr, level) { Builder.prototype.buildTextValNode = function (val, key, attrStr, level, matcher) { if (this.options.cdataPropName !== false && key === this.options.cdataPropName) { - return this.indentate(level) + `` + this.newLine; + const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + return this.indentate(level) + `` + this.newLine; } else if (this.options.commentPropName !== false && key === this.options.commentPropName) { - return this.indentate(level) + `` + this.newLine; + const safeVal = String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/-$/, '- '); // trailing - would form -- with the closing --> + return this.indentate(level) + `` + this.newLine; } else if (key[0] === "?") {//PI tag return this.indentate(level) + '<' + key + attrStr + '?' + this.tagEndChar; } else { @@ -216352,6 +216442,7 @@ const XMLValidator = { ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OptionsBuilder.js + const defaultOnDangerousProperty = (name) => { if (DANGEROUS_PROPERTY_NAMES.includes(name)) { return "__" + name; @@ -216391,6 +216482,7 @@ const OptionsBuilder_defaultOptions = { unpairedTags: [], processEntities: true, htmlEntities: false, + entityDecoder: null, ignoreDeclaration: false, ignorePiTags: false, transformTagName: false, @@ -216437,18 +216529,19 @@ function validatePropertyName(propertyName, optionName) { * @param {boolean|object} value * @returns {object} Always returns normalized object */ -function normalizeProcessEntities(value) { +function normalizeProcessEntities(value, htmlEntities) { // Boolean backward compatibility if (typeof value === 'boolean') { return { enabled: value, // true or false maxEntitySize: 10000, - maxExpansionDepth: 10, - maxTotalExpansions: 1000, + maxExpansionDepth: 10000, + maxTotalExpansions: Infinity, maxExpandedLength: 100000, - maxEntityCount: 100, + maxEntityCount: 1000, allowedTags: null, - tagFilter: null + tagFilter: null, + appliesTo: "all", }; } @@ -216457,12 +216550,13 @@ function normalizeProcessEntities(value) { return { enabled: value.enabled !== false, maxEntitySize: Math.max(1, value.maxEntitySize ?? 10000), - maxExpansionDepth: Math.max(1, value.maxExpansionDepth ?? 10), - maxTotalExpansions: Math.max(1, value.maxTotalExpansions ?? 1000), + maxExpansionDepth: Math.max(1, value.maxExpansionDepth ?? 10000), + maxTotalExpansions: Math.max(1, value.maxTotalExpansions ?? Infinity), maxExpandedLength: Math.max(1, value.maxExpandedLength ?? 100000), - maxEntityCount: Math.max(1, value.maxEntityCount ?? 100), + maxEntityCount: Math.max(1, value.maxEntityCount ?? 1000), allowedTags: value.allowedTags ?? null, - tagFilter: value.tagFilter ?? null + tagFilter: value.tagFilter ?? null, + appliesTo: value.appliesTo ?? "all", }; } @@ -216493,8 +216587,8 @@ const buildOptions = function (options) { } // Always normalize processEntities for backward compatibility and validation - built.processEntities = normalizeProcessEntities(built.processEntities); - + built.processEntities = normalizeProcessEntities(built.processEntities, built.htmlEntities); + built.unpairedTagsSet = new Set(built.unpairedTags); // Convert old-style stopNodes for backward compatibility if (built.stopNodes && Array.isArray(built.stopNodes)) { built.stopNodes = built.stopNodes.map(node => { @@ -216589,11 +216683,8 @@ class DocTypeReader { ); } //const escaped = entityName.replace(/[.\-+*:]/g, '\\.'); - const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); - entities[entityName] = { - regx: RegExp(`&${escaped};`, "g"), - val: val - }; + //const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); + entities[entityName] = val; entityCount++; } } @@ -216985,8 +217076,9 @@ function toNumber(str, options = {}) { let trimmedStr = str.trim(); - if (options.skipLike !== undefined && options.skipLike.test(trimmedStr)) return str; - else if (str === "0") return 0; + if (trimmedStr.length === 0) return str; + else if (options.skipLike !== undefined && options.skipLike.test(trimmedStr)) return str; + else if (trimmedStr === "0") return 0; else if (options.hex && hexRegex.test(trimmedStr)) { return parse_int(trimmedStr, 16); // }else if (options.oct && octRegex.test(str)) { @@ -217062,11 +217154,16 @@ function resolveEnotation(str, trimmedStr, options) { else if (leadingZeros.length === 1 && (notation[3].startsWith(`.${eChar}`) || notation[3][0] === eChar)) { return Number(trimmedStr); - } else if (options.leadingZeros && !eAdjacentToLeadingZeros) { //accept with leading zeros - //remove leading 0s - trimmedStr = (notation[1] || "") + notation[3]; + } else if (leadingZeros.length > 0) { + // Has leading zeros — only accept if leadingZeros option allows it + if (options.leadingZeros && !eAdjacentToLeadingZeros) { + trimmedStr = (notation[1] || "") + notation[3]; + return Number(trimmedStr); + } else return str; + } else { + // No leading zeros — always valid e-notation, parse it return Number(trimmedStr); - } else return str; + } } else { return str; } @@ -217137,6 +217234,1939 @@ function ignoreAttributes_getIgnoreAttributesFn(ignoreAttributes) { } return () => false } +;// CONCATENATED MODULE: ./node_modules/path-expression-matcher/src/ExpressionSet.js +/** + * ExpressionSet - An indexed collection of Expressions for efficient bulk matching + * + * Instead of iterating all expressions on every tag, ExpressionSet pre-indexes + * them at insertion time by depth and terminal tag name. At match time, only + * the relevant bucket is evaluated — typically reducing checks from O(E) to O(1) + * lookup plus O(small bucket) matches. + * + * Three buckets are maintained: + * - `_byDepthAndTag` — exact depth + exact tag name (tightest, used first) + * - `_wildcardByDepth` — exact depth + wildcard tag `*` (depth-matched only) + * - `_deepWildcards` — expressions containing `..` (cannot be depth-indexed) + * + * @example + * import { Expression, ExpressionSet } from 'fast-xml-tagger'; + * + * // Build once at config time + * const stopNodes = new ExpressionSet(); + * stopNodes.add(new Expression('root.users.user')); + * stopNodes.add(new Expression('root.config.setting')); + * stopNodes.add(new Expression('..script')); + * + * // Query on every tag — hot path + * if (stopNodes.matchesAny(matcher)) { ... } + */ +class ExpressionSet { + constructor() { + /** @type {Map} depth:tag → expressions */ + this._byDepthAndTag = new Map(); + + /** @type {Map} depth → wildcard-tag expressions */ + this._wildcardByDepth = new Map(); + + /** @type {import('./Expression.js').default[]} expressions containing deep wildcard (..) */ + this._deepWildcards = []; + + /** @type {Set} pattern strings already added — used for deduplication */ + this._patterns = new Set(); + + /** @type {boolean} whether the set is sealed against further additions */ + this._sealed = false; + } + + /** + * Add an Expression to the set. + * Duplicate patterns (same pattern string) are silently ignored. + * + * @param {import('./Expression.js').default} expression - A pre-constructed Expression instance + * @returns {this} for chaining + * @throws {TypeError} if called after seal() + * + * @example + * set.add(new Expression('root.users.user')); + * set.add(new Expression('..script')); + */ + add(expression) { + if (this._sealed) { + throw new TypeError( + 'ExpressionSet is sealed. Create a new ExpressionSet to add more expressions.' + ); + } + + // Deduplicate by pattern string + if (this._patterns.has(expression.pattern)) return this; + this._patterns.add(expression.pattern); + + if (expression.hasDeepWildcard()) { + this._deepWildcards.push(expression); + return this; + } + + const depth = expression.length; + const lastSeg = expression.segments[expression.segments.length - 1]; + const tag = lastSeg?.tag; + + if (!tag || tag === '*') { + // Can index by depth but not by tag + if (!this._wildcardByDepth.has(depth)) this._wildcardByDepth.set(depth, []); + this._wildcardByDepth.get(depth).push(expression); + } else { + // Tightest bucket: depth + tag + const key = `${depth}:${tag}`; + if (!this._byDepthAndTag.has(key)) this._byDepthAndTag.set(key, []); + this._byDepthAndTag.get(key).push(expression); + } + + return this; + } + + /** + * Add multiple expressions at once. + * + * @param {import('./Expression.js').default[]} expressions - Array of Expression instances + * @returns {this} for chaining + * + * @example + * set.addAll([ + * new Expression('root.users.user'), + * new Expression('root.config.setting'), + * ]); + */ + addAll(expressions) { + for (const expr of expressions) this.add(expr); + return this; + } + + /** + * Check whether a pattern string is already present in the set. + * + * @param {import('./Expression.js').default} expression + * @returns {boolean} + */ + has(expression) { + return this._patterns.has(expression.pattern); + } + + /** + * Number of expressions in the set. + * @type {number} + */ + get size() { + return this._patterns.size; + } + + /** + * Seal the set against further modifications. + * Useful to prevent accidental mutations after config is built. + * Calling add() or addAll() on a sealed set throws a TypeError. + * + * @returns {this} + */ + seal() { + this._sealed = true; + return this; + } + + /** + * Whether the set has been sealed. + * @type {boolean} + */ + get isSealed() { + return this._sealed; + } + + /** + * Test whether the matcher's current path matches any expression in the set. + * + * Evaluation order (cheapest → most expensive): + * 1. Exact depth + tag bucket — O(1) lookup, typically 0–2 expressions + * 2. Depth-only wildcard bucket — O(1) lookup, rare + * 3. Deep-wildcard list — always checked, but usually small + * + * @param {import('./Matcher.js').default} matcher - Matcher instance (or readOnly view) + * @returns {boolean} true if any expression matches the current path + * + * @example + * if (stopNodes.matchesAny(matcher)) { + * // handle stop node + * } + */ + matchesAny(matcher) { + return this.findMatch(matcher) !== null; + } + /** + * Find and return the first Expression that matches the matcher's current path. + * + * Uses the same evaluation order as matchesAny (cheapest → most expensive): + * 1. Exact depth + tag bucket + * 2. Depth-only wildcard bucket + * 3. Deep-wildcard list + * + * @param {import('./Matcher.js').default} matcher - Matcher instance (or readOnly view) + * @returns {import('./Expression.js').default | null} the first matching Expression, or null + * + * @example + * const expr = stopNodes.findMatch(matcher); + * if (expr) { + * // access expr.config, expr.pattern, etc. + * } + */ + findMatch(matcher) { + const depth = matcher.getDepth(); + const tag = matcher.getCurrentTag(); + + // 1. Tightest bucket — most expressions live here + const exactKey = `${depth}:${tag}`; + const exactBucket = this._byDepthAndTag.get(exactKey); + if (exactBucket) { + for (let i = 0; i < exactBucket.length; i++) { + if (matcher.matches(exactBucket[i])) return exactBucket[i]; + } + } + + // 2. Depth-matched wildcard-tag expressions + const wildcardBucket = this._wildcardByDepth.get(depth); + if (wildcardBucket) { + for (let i = 0; i < wildcardBucket.length; i++) { + if (matcher.matches(wildcardBucket[i])) return wildcardBucket[i]; + } + } + + // 3. Deep wildcards — cannot be pre-filtered by depth or tag + for (let i = 0; i < this._deepWildcards.length; i++) { + if (matcher.matches(this._deepWildcards[i])) return this._deepWildcards[i]; + } + + return null; + } +} + +;// CONCATENATED MODULE: ./node_modules/@nodable/entities/src/entities.js +// --------------------------------------------------------------------------- +// Complete HTML5 named entity reference +// Organized by logical categories for easy maintenance and selective importing +// --------------------------------------------------------------------------- + +/** + * Basic Latin & Special Characters + * @type {Record} + */ +const BASIC_LATIN = { + amp: '&', + AMP: '&', + lt: '<', + LT: '<', + gt: '>', + GT: '>', + quot: '"', + QUOT: '"', + apos: "'", + lsquo: '‘', + rsquo: '’', + ldquo: '“', + rdquo: '”', + lsquor: '‚', + rsquor: '’', + ldquor: '„', + bdquo: '„', + comma: ',', + period: '.', + colon: ':', + semi: ';', + excl: '!', + quest: '?', + num: '#', + dollar: '$', + percent: '%', + amp: '&', + ast: '*', + commat: '@', + lowbar: '_', + verbar: '|', + vert: '|', + sol: '/', + bsol: '\\', + lbrace: '{', + rbrace: '}', + lbrack: '[', + rbrack: ']', + lpar: '(', + rpar: ')', + nbsp: '\u00a0', + iexcl: '¡', + cent: '¢', + pound: '£', + curren: '¤', + yen: '¥', + brvbar: '¦', + sect: '§', + uml: '¨', + copy: '©', + COPY: '©', + ordf: 'ª', + laquo: '«', + not: '¬', + shy: '\u00ad', + reg: '®', + REG: '®', + macr: '¯', + deg: '°', + plusmn: '±', + sup2: '²', + sup3: '³', + acute: '´', + micro: 'µ', + para: '¶', + middot: '·', + cedil: '¸', + sup1: '¹', + ordm: 'º', + raquo: '»', + frac14: '¼', + frac12: '½', + half: '½', + frac34: '¾', + iquest: '¿', + times: '×', + div: '÷', + divide: '÷', +}; + +/** + * Latin Extended & Accented Letters (A-Z) + * @type {Record} + */ +const LATIN_ACCENTS = { + Agrave: 'À', + agrave: 'à', + Aacute: 'Á', + aacute: 'á', + Acirc: 'Â', + acirc: 'â', + Atilde: 'Ã', + atilde: 'ã', + Auml: 'Ä', + auml: 'ä', + Aring: 'Å', + aring: 'å', + AElig: 'Æ', + aelig: 'æ', + Ccedil: 'Ç', + ccedil: 'ç', + Egrave: 'È', + egrave: 'è', + Eacute: 'É', + eacute: 'é', + Ecirc: 'Ê', + ecirc: 'ê', + Euml: 'Ë', + euml: 'ë', + Igrave: 'Ì', + igrave: 'ì', + Iacute: 'Í', + iacute: 'í', + Icirc: 'Î', + icirc: 'î', + Iuml: 'Ï', + iuml: 'ï', + ETH: 'Ð', + eth: 'ð', + Ntilde: 'Ñ', + ntilde: 'ñ', + Ograve: 'Ò', + ograve: 'ò', + Oacute: 'Ó', + oacute: 'ó', + Ocirc: 'Ô', + ocirc: 'ô', + Otilde: 'Õ', + otilde: 'õ', + Ouml: 'Ö', + ouml: 'ö', + Oslash: 'Ø', + oslash: 'ø', + Ugrave: 'Ù', + ugrave: 'ù', + Uacute: 'Ú', + uacute: 'ú', + Ucirc: 'Û', + ucirc: 'û', + Uuml: 'Ü', + uuml: 'ü', + Yacute: 'Ý', + yacute: 'ý', + THORN: 'Þ', + thorn: 'þ', + szlig: 'ß', + yuml: 'ÿ', + Yuml: 'Ÿ', +}; + +/** + * Latin Extended (Letters with diacritics) + * @type {Record} + */ +const LATIN_EXTENDED = { + Amacr: 'Ā', + amacr: 'ā', + Abreve: 'Ă', + abreve: 'ă', + Aogon: 'Ą', + aogon: 'ą', + Cacute: 'Ć', + cacute: 'ć', + Ccirc: 'Ĉ', + ccirc: 'ĉ', + Cdot: 'Ċ', + cdot: 'ċ', + Ccaron: 'Č', + ccaron: 'č', + Dcaron: 'Ď', + dcaron: 'ď', + Dstrok: 'Đ', + dstrok: 'đ', + Emacr: 'Ē', + emacr: 'ē', + Ecaron: 'Ě', + ecaron: 'ě', + Edot: 'Ė', + edot: 'ė', + Eogon: 'Ę', + eogon: 'ę', + Gcirc: 'Ĝ', + gcirc: 'ĝ', + Gbreve: 'Ğ', + gbreve: 'ğ', + Gdot: 'Ġ', + gdot: 'ġ', + Gcedil: 'Ģ', + Hcirc: 'Ĥ', + hcirc: 'ĥ', + Hstrok: 'Ħ', + hstrok: 'ħ', + Itilde: 'Ĩ', + itilde: 'ĩ', + Imacr: 'Ī', + imacr: 'ī', + Iogon: 'Į', + iogon: 'į', + Idot: 'İ', + IJlig: 'IJ', + ijlig: 'ij', + Jcirc: 'Ĵ', + jcirc: 'ĵ', + Kcedil: 'Ķ', + kcedil: 'ķ', + kgreen: 'ĸ', + Lacute: 'Ĺ', + lacute: 'ĺ', + Lcedil: 'Ļ', + lcedil: 'ļ', + Lcaron: 'Ľ', + lcaron: 'ľ', + Lmidot: 'Ŀ', + lmidot: 'ŀ', + Lstrok: 'Ł', + lstrok: 'ł', + Nacute: 'Ń', + nacute: 'ń', + Ncaron: 'Ň', + ncaron: 'ň', + Ncedil: 'Ņ', + ncedil: 'ņ', + ENG: 'Ŋ', + eng: 'ŋ', + Omacr: 'Ō', + omacr: 'ō', + Odblac: 'Ő', + odblac: 'ő', + OElig: 'Œ', + oelig: 'œ', + Racute: 'Ŕ', + racute: 'ŕ', + Rcaron: 'Ř', + rcaron: 'ř', + Rcedil: 'Ŗ', + rcedil: 'ŗ', + Sacute: 'Ś', + sacute: 'ś', + Scirc: 'Ŝ', + scirc: 'ŝ', + Scedil: 'Ş', + scedil: 'ş', + Scaron: 'Š', + scaron: 'š', + Tcedil: 'Ţ', + tcedil: 'ţ', + Tcaron: 'Ť', + tcaron: 'ť', + Tstrok: 'Ŧ', + tstrok: 'ŧ', + Utilde: 'Ũ', + utilde: 'ũ', + Umacr: 'Ū', + umacr: 'ū', + Ubreve: 'Ŭ', + ubreve: 'ŭ', + Uring: 'Ů', + uring: 'ů', + Udblac: 'Ű', + udblac: 'ű', + Uogon: 'Ų', + uogon: 'ų', + Wcirc: 'Ŵ', + wcirc: 'ŵ', + Ycirc: 'Ŷ', + ycirc: 'ŷ', + Zacute: 'Ź', + zacute: 'ź', + Zdot: 'Ż', + zdot: 'ż', + Zcaron: 'Ž', + zcaron: 'ž', +}; + +/** + * Greek Letters + * @type {Record} + */ +const GREEK = { + Alpha: 'Α', + alpha: 'α', + Beta: 'Β', + beta: 'β', + Gamma: 'Γ', + gamma: 'γ', + Delta: 'Δ', + delta: 'δ', + Epsilon: 'Ε', + epsilon: 'ε', + epsiv: 'ϵ', + varepsilon: 'ϵ', + Zeta: 'Ζ', + zeta: 'ζ', + Eta: 'Η', + eta: 'η', + Theta: 'Θ', + theta: 'θ', + thetasym: 'ϑ', + vartheta: 'ϑ', + Iota: 'Ι', + iota: 'ι', + Kappa: 'Κ', + kappa: 'κ', + kappav: 'ϰ', + varkappa: 'ϰ', + Lambda: 'Λ', + lambda: 'λ', + Mu: 'Μ', + mu: 'μ', + Nu: 'Ν', + nu: 'ν', + Xi: 'Ξ', + xi: 'ξ', + Omicron: 'Ο', + omicron: 'ο', + Pi: 'Π', + pi: 'π', + piv: 'ϖ', + varpi: 'ϖ', + Rho: 'Ρ', + rho: 'ρ', + rhov: 'ϱ', + varrho: 'ϱ', + Sigma: 'Σ', + sigma: 'σ', + sigmaf: 'ς', + sigmav: 'ς', + varsigma: 'ς', + Tau: 'Τ', + tau: 'τ', + Upsilon: 'Υ', + upsilon: 'υ', + upsi: 'υ', + Upsi: 'ϒ', + upsih: 'ϒ', + Phi: 'Φ', + phi: 'φ', + phiv: 'ϕ', + varphi: 'ϕ', + Chi: 'Χ', + chi: 'χ', + Psi: 'Ψ', + psi: 'ψ', + Omega: 'Ω', + omega: 'ω', + ohm: 'Ω', + Gammad: 'Ϝ', + gammad: 'ϝ', + digamma: 'ϝ', +}; + +/** + * Cyrillic Letters + * @type {Record} + */ +const CYRILLIC = { + Afr: '𝔄', + afr: '𝔞', + Acy: 'А', + acy: 'а', + Bcy: 'Б', + bcy: 'б', + Vcy: 'В', + vcy: 'в', + Gcy: 'Г', + gcy: 'г', + Dcy: 'Д', + dcy: 'д', + IEcy: 'Е', + iecy: 'е', + IOcy: 'Ё', + iocy: 'ё', + ZHcy: 'Ж', + zhcy: 'ж', + Zcy: 'З', + zcy: 'з', + Icy: 'И', + icy: 'и', + Jcy: 'Й', + jcy: 'й', + Kcy: 'К', + kcy: 'к', + Lcy: 'Л', + lcy: 'л', + Mcy: 'М', + mcy: 'м', + Ncy: 'Н', + ncy: 'н', + Ocy: 'О', + ocy: 'о', + Pcy: 'П', + pcy: 'п', + Rcy: 'Р', + rcy: 'р', + Scy: 'С', + scy: 'с', + Tcy: 'Т', + tcy: 'т', + Ucy: 'У', + ucy: 'у', + Fcy: 'Ф', + fcy: 'ф', + KHcy: 'Х', + khcy: 'х', + TScy: 'Ц', + tscy: 'ц', + CHcy: 'Ч', + chcy: 'ч', + SHcy: 'Ш', + shcy: 'ш', + SHCHcy: 'Щ', + shchcy: 'щ', + HARDcy: 'Ъ', + hardcy: 'ъ', + Ycy: 'Ы', + ycy: 'ы', + SOFTcy: 'Ь', + softcy: 'ь', + Ecy: 'Э', + ecy: 'э', + YUcy: 'Ю', + yucy: 'ю', + YAcy: 'Я', + yacy: 'я', + DJcy: 'Ђ', + djcy: 'ђ', + GJcy: 'Ѓ', + gjcy: 'ѓ', + Jukcy: 'Є', + jukcy: 'є', + DScy: 'Ѕ', + dscy: 'ѕ', + Iukcy: 'І', + iukcy: 'і', + YIcy: 'Ї', + yicy: 'ї', + Jsercy: 'Ј', + jsercy: 'ј', + LJcy: 'Љ', + ljcy: 'љ', + NJcy: 'Њ', + njcy: 'њ', + TSHcy: 'Ћ', + tshcy: 'ћ', + KJcy: 'Ќ', + kjcy: 'ќ', + Ubrcy: 'Ў', + ubrcy: 'ў', + DZcy: 'Џ', + dzcy: 'џ', +}; + +/** + * Mathematical Operators & Relations + * @type {Record} + */ +const MATH = { + plus: '+', + minus: '−', + mnplus: '∓', + mp: '∓', + pm: '±', + times: '×', + div: '÷', + divide: '÷', + sdot: '⋅', + star: '☆', + starf: '★', + bigstar: '★', + lowast: '∗', + ast: '*', + midast: '*', + compfn: '∘', + smallcircle: '∘', + bullet: '•', + bull: '•', + nbsp: '\u00a0', + hellip: '…', + mldr: '…', + prime: '′', + Prime: '″', + tprime: '‴', + bprime: '‵', + backprime: '‵', + minus: '−', + minusd: '∸', + dotminus: '∸', + plusdo: '∔', + dotplus: '∔', + plusmn: '±', + minusplus: '∓', + mnplus: '∓', + mp: '∓', + setminus: '∖', + smallsetminus: '∖', + Backslash: '∖', + setmn: '∖', + ssetmn: '∖', + lowbar: '_', + verbar: '|', + vert: '|', + VerticalLine: '|', + colon: ':', + Colon: '∷', + Proportion: '∷', + ratio: '∶', + equals: '=', + ne: '≠', + nequiv: '≢', + equiv: '≡', + Congruent: '≡', + sim: '∼', + thicksim: '∼', + thksim: '∼', + sime: '≃', + simeq: '≃', + TildeEqual: '≃', + asymp: '≈', + approx: '≈', + thickapprox: '≈', + thkap: '≈', + TildeTilde: '≈', + ncong: '≇', + cong: '≅', + TildeFullEqual: '≅', + asympeq: '≍', + CupCap: '≍', + bump: '≎', + Bumpeq: '≎', + HumpDownHump: '≎', + bumpe: '≏', + bumpeq: '≏', + HumpEqual: '≏', + dotminus: '∸', + minusd: '∸', + plusdo: '∔', + dotplus: '∔', + le: '≤', + LessEqual: '≤', + ge: '≥', + GreaterEqual: '≥', + lesseqgtr: '⋚', + lesseqqgtr: '⪋', + greater: '>', + less: '<', +}; + +/** + * Mathematical Operators (Advanced) + * @type {Record} + */ +const MATH_ADVANCED = { + alefsym: 'ℵ', + aleph: 'ℵ', + beth: 'ℶ', + gimel: 'ℷ', + daleth: 'ℸ', + forall: '∀', + ForAll: '∀', + part: '∂', + PartialD: '∂', + exist: '∃', + Exists: '∃', + nexist: '∄', + nexists: '∄', + empty: '∅', + emptyset: '∅', + emptyv: '∅', + varnothing: '∅', + nabla: '∇', + Del: '∇', + isin: '∈', + isinv: '∈', + in: '∈', + Element: '∈', + notin: '∉', + notinva: '∉', + ni: '∋', + niv: '∋', + SuchThat: '∋', + ReverseElement: '∋', + notni: '∌', + notniva: '∌', + prod: '∏', + Product: '∏', + coprod: '∐', + Coproduct: '∐', + sum: '∑', + Sum: '∑', + minus: '−', + mp: '∓', + plusdo: '∔', + dotplus: '∔', + setminus: '∖', + lowast: '∗', + radic: '√', + Sqrt: '√', + prop: '∝', + propto: '∝', + Proportional: '∝', + varpropto: '∝', + infin: '∞', + infintie: '⧝', + ang: '∠', + angle: '∠', + angmsd: '∡', + measuredangle: '∡', + angsph: '∢', + mid: '∣', + VerticalBar: '∣', + nmid: '∤', + nsmid: '∤', + npar: '∦', + parallel: '∥', + spar: '∥', + nparallel: '∦', + nspar: '∦', + and: '∧', + wedge: '∧', + or: '∨', + vee: '∨', + cap: '∩', + cup: '∪', + int: '∫', + Integral: '∫', + conint: '∮', + ContourIntegral: '∮', + Conint: '∯', + DoubleContourIntegral: '∯', + Cconint: '∰', + there4: '∴', + therefore: '∴', + Therefore: '∴', + becaus: '∵', + because: '∵', + Because: '∵', + ratio: '∶', + Proportion: '∷', + minusd: '∸', + dotminus: '∸', + mDDot: '∺', + homtht: '∻', + sim: '∼', + bsimg: '∽', + backsim: '∽', + ac: '∾', + mstpos: '∾', + acd: '∿', + VerticalTilde: '≀', + wr: '≀', + wreath: '≀', + nsime: '≄', + nsimeq: '≄', + nsimeq: '≄', + ncong: '≇', + simne: '≆', + ncongdot: '⩭̸', + ngsim: '≵', + nsim: '≁', + napprox: '≉', + nap: '≉', + ngeq: '≱', + nge: '≱', + nleq: '≰', + nle: '≰', + ngtr: '≯', + ngt: '≯', + nless: '≮', + nlt: '≮', + nprec: '⊀', + npr: '⊀', + nsucc: '⊁', + nsc: '⊁', +}; + +/** + * Arrows + * @type {Record} + */ +const ARROWS = { + larr: '←', + leftarrow: '←', + LeftArrow: '←', + uarr: '↑', + uparrow: '↑', + UpArrow: '↑', + rarr: '→', + rightarrow: '→', + RightArrow: '→', + darr: '↓', + downarrow: '↓', + DownArrow: '↓', + harr: '↔', + leftrightarrow: '↔', + LeftRightArrow: '↔', + varr: '↕', + updownarrow: '↕', + UpDownArrow: '↕', + nwarr: '↖', + nwarrow: '↖', + UpperLeftArrow: '↖', + nearr: '↗', + nearrow: '↗', + UpperRightArrow: '↗', + searr: '↘', + searrow: '↘', + LowerRightArrow: '↘', + swarr: '↙', + swarrow: '↙', + LowerLeftArrow: '↙', + lArr: '⇐', + Leftarrow: '⇐', + uArr: '⇑', + Uparrow: '⇑', + rArr: '⇒', + Rightarrow: '⇒', + dArr: '⇓', + Downarrow: '⇓', + hArr: '⇔', + Leftrightarrow: '⇔', + iff: '⇔', + vArr: '⇕', + Updownarrow: '⇕', + lAarr: '⇚', + Lleftarrow: '⇚', + rAarr: '⇛', + Rrightarrow: '⇛', + lrarr: '⇆', + leftrightarrows: '⇆', + rlarr: '⇄', + rightleftarrows: '⇄', + lrhar: '⇋', + leftrightharpoons: '⇋', + ReverseEquilibrium: '⇋', + rlhar: '⇌', + rightleftharpoons: '⇌', + Equilibrium: '⇌', + udarr: '⇅', + UpArrowDownArrow: '⇅', + duarr: '⇵', + DownArrowUpArrow: '⇵', + llarr: '⇇', + leftleftarrows: '⇇', + rrarr: '⇉', + rightrightarrows: '⇉', + ddarr: '⇊', + downdownarrows: '⇊', + har: '↽', + lhard: '↽', + leftharpoondown: '↽', + lharu: '↼', + leftharpoonup: '↼', + rhard: '⇁', + rightharpoondown: '⇁', + rharu: '⇀', + rightharpoonup: '⇀', + lsh: '↰', + Lsh: '↰', + rsh: '↱', + Rsh: '↱', + ldsh: '↲', + rdsh: '↳', + hookleftarrow: '↩', + hookrightarrow: '↪', + mapstoleft: '↤', + mapstoup: '↥', + map: '↦', + mapsto: '↦', + mapstodown: '↧', + crarr: '↵', + nwarrow: '↖', + nearrow: '↗', + searrow: '↘', + swarrow: '↙', + nleftarrow: '↚', + nleftrightarrow: '↮', + nrightarrow: '↛', + nrarr: '↛', + larrtl: '↢', + rarrtl: '↣', + leftarrowtail: '↢', + rightarrowtail: '↣', + twoheadleftarrow: '↞', + twoheadrightarrow: '↠', + Larr: '↞', + Rarr: '↠', + larrhk: '↩', + rarrhk: '↪', + larrlp: '↫', + looparrowleft: '↫', + rarrlp: '↬', + looparrowright: '↬', + harrw: '↭', + leftrightsquigarrow: '↭', + nrarrw: '↝̸', + rarrw: '↝', + rightsquigarrow: '↝', + larrbfs: '⤟', + rarrbfs: '⤠', + nvHarr: '⤄', + nvlArr: '⤂', + nvrArr: '⤃', + larrfs: '⤝', + rarrfs: '⤞', + Map: '⤅', + larrsim: '⥳', + rarrsim: '⥴', + harrcir: '⥈', + Uarrocir: '⥉', + lurdshar: '⥊', + ldrdhar: '⥧', + ldrushar: '⥋', + rdldhar: '⥩', + lrhard: '⥭', + rlhar: '⇌', + uharr: '↾', + uharl: '↿', + dharr: '⇂', + dharl: '⇃', + Uarr: '↟', + Darr: '↡', + zigrarr: '⇝', + nwArr: '⇖', + neArr: '⇗', + seArr: '⇘', + swArr: '⇙', + nharr: '↮', + nhArr: '⇎', + nlarr: '↚', + nlArr: '⇍', + nrarr: '↛', + nrArr: '⇏', + larrb: '⇤', + LeftArrowBar: '⇤', + rarrb: '⇥', + RightArrowBar: '⇥', +}; + +/** + * Geometric Shapes + * @type {Record} + */ +const SHAPES = { + square: '□', + Square: '□', + squ: '□', + squf: '▪', + squarf: '▪', + blacksquar: '▪', + blacksquare: '▪', + FilledVerySmallSquare: '▪', + blk34: '▓', + blk12: '▒', + blk14: '░', + block: '█', + srect: '▭', + rect: '▭', + sdot: '⋅', + sdotb: '⊡', + dotsquare: '⊡', + triangle: '▵', + tri: '▵', + trine: '▵', + utri: '▵', + triangledown: '▿', + dtri: '▿', + tridown: '▿', + triangleleft: '◃', + ltri: '◃', + triangleright: '▹', + rtri: '▹', + blacktriangle: '▴', + utrif: '▴', + blacktriangledown: '▾', + dtrif: '▾', + blacktriangleleft: '◂', + ltrif: '◂', + blacktriangleright: '▸', + rtrif: '▸', + loz: '◊', + lozenge: '◊', + blacklozenge: '⧫', + lozf: '⧫', + bigcirc: '◯', + xcirc: '◯', + circ: 'ˆ', + Circle: '○', + cir: '○', + o: '○', + bullet: '•', + bull: '•', + hellip: '…', + mldr: '…', + nldr: '‥', + boxh: '─', + HorizontalLine: '─', + boxv: '│', + boxdr: '┌', + boxdl: '┐', + boxur: '└', + boxul: '┘', + boxvr: '├', + boxvl: '┤', + boxhd: '┬', + boxhu: '┴', + boxvh: '┼', + boxH: '═', + boxV: '║', + boxdR: '╒', + boxDr: '╓', + boxDR: '╔', + boxDl: '╕', + boxdL: '╖', + boxDL: '╗', + boxuR: '╘', + boxUr: '╙', + boxUR: '╚', + boxUl: '╜', + boxuL: '╛', + boxUL: '╝', + boxvR: '╞', + boxVr: '╟', + boxVR: '╠', + boxVl: '╢', + boxvL: '╡', + boxVL: '╣', + boxHd: '╤', + boxhD: '╥', + boxHD: '╦', + boxHu: '╧', + boxhU: '╨', + boxHU: '╩', + boxvH: '╪', + boxVh: '╫', + boxVH: '╬', +}; + +/** + * Punctuation & Diacritics + * @type {Record} + */ +const PUNCTUATION = { + excl: '!', + iexcl: '¡', + brvbar: '¦', + sect: '§', + uml: '¨', + copy: '©', + ordf: 'ª', + laquo: '«', + not: '¬', + shy: '\u00ad', + reg: '®', + macr: '¯', + deg: '°', + plusmn: '±', + sup2: '²', + sup3: '³', + acute: '´', + micro: 'µ', + para: '¶', + middot: '·', + cedil: '¸', + sup1: '¹', + ordm: 'º', + raquo: '»', + frac14: '¼', + frac12: '½', + frac34: '¾', + iquest: '¿', + nbsp: '\u00a0', + comma: ',', + period: '.', + colon: ':', + semi: ';', + vert: '|', + Verbar: '‖', + verbar: '|', + dblac: '˝', + circ: 'ˆ', + caron: 'ˇ', + breve: '˘', + dot: '˙', + ring: '˚', + ogon: '˛', + tilde: '˜', + DiacriticalGrave: '`', + DiacriticalAcute: '´', + DiacriticalTilde: '˜', + DiacriticalDot: '˙', + DiacriticalDoubleAcute: '˝', + grave: '`', + acute: '´', +}; + +/** + * Currency Symbols + * @type {Record} + */ +const CURRENCY = { + cent: '¢', + pound: '£', + curren: '¤', + yen: '¥', + euro: '€', + dollar: '$', + euro: '€', + fnof: 'ƒ', + inr: '₹', + af: '؋', + birr: 'ብር', + peso: '₱', + rub: '₽', + won: '₩', + yuan: '¥', + cedil: '¸', +}; + +/** + * Fractions + * @type {Record} + */ +const FRACTIONS = { + frac12: '½', + half: '½', + frac13: '⅓', + frac14: '¼', + frac15: '⅕', + frac16: '⅙', + frac18: '⅛', + frac23: '⅔', + frac25: '⅖', + frac34: '¾', + frac35: '⅗', + frac38: '⅜', + frac45: '⅘', + frac56: '⅚', + frac58: '⅝', + frac78: '⅞', + frasl: '⁄', +}; + +/** + * Miscellaneous Symbols + * @type {Record} + */ +const MISC_SYMBOLS = { + trade: '™', + TRADE: '™', + telrec: '⌕', + target: '⌖', + ulcorn: '⌜', + ulcorner: '⌜', + urcorn: '⌝', + urcorner: '⌝', + dlcorn: '⌞', + llcorner: '⌞', + drcorn: '⌟', + lrcorner: '⌟', + intercal: '⊺', + intcal: '⊺', + oplus: '⊕', + CirclePlus: '⊕', + ominus: '⊖', + CircleMinus: '⊖', + otimes: '⊗', + CircleTimes: '⊗', + osol: '⊘', + odot: '⊙', + CircleDot: '⊙', + oast: '⊛', + circledast: '⊛', + odash: '⊝', + circleddash: '⊝', + ocirc: '⊚', + circledcirc: '⊚', + boxplus: '⊞', + plusb: '⊞', + boxminus: '⊟', + minusb: '⊟', + boxtimes: '⊠', + timesb: '⊠', + boxdot: '⊡', + sdotb: '⊡', + veebar: '⊻', + vee: '∨', + barvee: '⊽', + and: '∧', + wedge: '∧', + Cap: '⋒', + Cup: '⋓', + Fork: '⋔', + pitchfork: '⋔', + epar: '⋕', + ltlarr: '⥶', + nvap: '≍⃒', + nvsim: '∼⃒', + nvge: '≥⃒', + nvle: '≤⃒', + nvlt: '<⃒', + nvgt: '>⃒', + nvltrie: '⊴⃒', + nvrtrie: '⊵⃒', + Vdash: '⊩', + dashv: '⊣', + vDash: '⊨', + Vdash: '⊩', + Vvdash: '⊪', + nvdash: '⊬', + nvDash: '⊭', + nVdash: '⊮', + nVDash: '⊯', +}; + +/** + * All entities combined (if you need everything) + * @type {Record} + */ +const ALL_ENTITIES = { + ...BASIC_LATIN, + ...LATIN_ACCENTS, + ...LATIN_EXTENDED, + ...GREEK, + ...CYRILLIC, + ...MATH, + ...MATH_ADVANCED, + ...ARROWS, + ...SHAPES, + ...PUNCTUATION, + ...CURRENCY, + ...FRACTIONS, + ...MISC_SYMBOLS, +}; + +const XML = { + amp: "&", + apos: "'", + gt: ">", + lt: "<", + quot: "\"" +} +const COMMON_HTML = { + nbsp: '\u00a0', + copy: '\u00a9', + reg: '\u00ae', + trade: '\u2122', + mdash: '\u2014', + ndash: '\u2013', + hellip: '\u2026', + laquo: '\u00ab', + raquo: '\u00bb', + lsquo: '\u2018', + rsquo: '\u2019', + ldquo: '\u201c', + rdquo: '\u201d', + bull: '\u2022', + para: '\u00b6', + sect: '\u00a7', + deg: '\u00b0', + frac12: '\u00bd', + frac14: '\u00bc', + frac34: '\u00be', +} +// --------------------------------------------------------------------------- +// Note: NUMERIC_ENTITIES (&#NNN; / &#xHH;) are handled by the scanner directly +// via String.fromCodePoint() without any map lookup. +// --------------------------------------------------------------------------- +;// CONCATENATED MODULE: ./node_modules/@nodable/entities/src/EntityDecoder.js +// --------------------------------------------------------------------------- +// Built-in named entity map (name → replacement string) +// No regex, no {regex,val} objects — just flat key/value pairs. +// --------------------------------------------------------------------------- + + + +// --------------------------------------------------------------------------- +// Helpers +// --------------------------------------------------------------------------- + +const SPECIAL_CHARS = new Set('!?\\\\/[]$%{}^&*()<>|+'); + +/** + * Validate that an entity name contains no dangerous characters. + * @param {string} name + * @returns {string} the name, unchanged + * @throws {Error} on invalid characters + */ +function EntityDecoder_validateEntityName(name) { + if (name[0] === '#') { + throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${name}"`); + } + for (const ch of name) { + if (SPECIAL_CHARS.has(ch)) { + throw new Error(`[EntityReplacer] Invalid character '${ch}' in entity name: "${name}"`); + } + } + return name; +} + +/** + * Merge one or more entity maps into a flat name→string map. + * Accepts either: + * - plain string values: { amp: '&' } + * - legacy {regex,val} / {regx,val}: { lt: { regex: /.../, val: '<' } } + * + * Values containing '&' are skipped (recursive expansion risk). + * + * @param {...object} maps + * @returns {Record} + */ +function mergeEntityMaps(...maps) { + const out = Object.create(null); + for (const map of maps) { + if (!map) continue; + for (const key of Object.keys(map)) { + const raw = map[key]; + if (typeof raw === 'string') { + out[key] = raw; + } else if (raw && typeof raw === 'object' && raw.val !== undefined) { + // Legacy {regex,val} or {regx,val} — extract the string val only + const val = raw.val; + if (typeof val === 'string') { + out[key] = val; + } + // function vals are not supported in the scanner — skip + } + } + } + return out; +} + +// --------------------------------------------------------------------------- +// applyLimitsTo helpers +// --------------------------------------------------------------------------- + +const LIMIT_TIER_EXTERNAL = 'external'; // input/runtime + persistent external maps +const LIMIT_TIER_BASE = 'base'; // DEFAULT_XML_ENTITIES + namedEntities (system) maps +const LIMIT_TIER_ALL = 'all'; // every entity regardless of tier + +/** + * Resolve `applyLimitsTo` option into a normalised Set of tier strings. + * Accepted values: 'external' | 'base' | 'all' | string[] + * Default: 'external' (only untrusted injected entities are counted). + * @param {string|string[]|undefined} raw + * @returns {Set} + */ +function parseLimitTiers(raw) { + if (!raw || raw === LIMIT_TIER_EXTERNAL) return new Set([LIMIT_TIER_EXTERNAL]); + if (raw === LIMIT_TIER_ALL) return new Set([LIMIT_TIER_ALL]); + if (raw === LIMIT_TIER_BASE) return new Set([LIMIT_TIER_BASE]); + if (Array.isArray(raw)) return new Set(raw); + return new Set([LIMIT_TIER_EXTERNAL]); // safe default for unrecognised values +} + +// --------------------------------------------------------------------------- +// NCR (Numeric Character Reference) classification +// --------------------------------------------------------------------------- + +// Severity order — higher number = stricter action. +// Used to enforce minimum action levels for specific codepoint ranges. +const NCR_LEVEL = Object.freeze({ allow: 0, leave: 1, remove: 2, throw: 3 }); + +// XML 1.0 §2.2: allowed chars are #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF] +// Restricted C0: U+0001–U+001F excluding U+0009, U+000A, U+000D +const XML10_ALLOWED_C0 = new Set([0x09, 0x0A, 0x0D]); + +/** + * Parse the `ncr` constructor option into flat, hot-path-friendly fields. + * @param {object|undefined} ncr + * @returns {{ xmlVersion: number, onLevel: number, nullLevel: number }} + */ +function parseNCRConfig(ncr) { + if (!ncr) { + return { xmlVersion: 1.0, onLevel: NCR_LEVEL.allow, nullLevel: NCR_LEVEL.remove }; + } + const xmlVersion = ncr.xmlVersion === 1.1 ? 1.1 : 1.0; + const onLevel = NCR_LEVEL[ncr.onNCR] ?? NCR_LEVEL.allow; + const nullLevel = NCR_LEVEL[ncr.nullNCR] ?? NCR_LEVEL.remove; + // 'allow' is not meaningful for null — clamp to at least 'remove' + const clampedNull = Math.max(nullLevel, NCR_LEVEL.remove); + return { xmlVersion, onLevel, nullLevel: clampedNull }; +} + +// --------------------------------------------------------------------------- +// EntityReplacer +// --------------------------------------------------------------------------- + +/** + * Single-pass, zero-regex entity replacer for XML/HTML content. + * + * Algorithm: scan the string once for '&', read to ';', resolve via map + * or direct codepoint conversion, build output chunks, join once at the end. + * + * Entity lookup priority (highest → lowest): + * 1. input / runtime (DOCTYPE entities for current document) + * 2. persistent external (survive across documents) + * 3. base named map (DEFAULT_XML_ENTITIES + user-supplied namedEntities) + * + * Both input and external resolve as the 'external' tier for limit purposes. + * Base map entities resolve as the 'base' tier. + * + * Numeric / hex references (&#NNN; / &#xHH;) are resolved directly via + * String.fromCodePoint() — no map needed. They count as 'base' tier. + * + * @example + * const replacer = new EntityReplacer({ namedEntities: COMMON_HTML }); + * replacer.setExternalEntities({ brand: 'Acme' }); + * + * const instance = replacer.reset(); + * instance.addInputEntities({ version: '1.0' }); + * instance.encode('&brand; v&version; <'); // 'Acme v1.0 <' + */ +class EntityDecoder { + /** + * @param {object} [options] + * @param {object|null} [options.namedEntities] — extra named entities merged into base map + * @param {object} [options.limit] — security limits + * @param {number} [options.limit.maxTotalExpansions=0] — 0 = unlimited + * @param {number} [options.limit.maxExpandedLength=0] — 0 = unlimited + * @param {'external'|'base'|'all'|string[]} [options.limit.applyLimitsTo='external'] + * Which entity tiers count against the security limits: + * - 'external' (default) — only input/runtime + persistent external entities + * - 'base' — only DEFAULT_XML_ENTITIES + namedEntities + * - 'all' — every entity regardless of tier + * - string[] — explicit combination, e.g. ['external', 'base'] + * @param {((resolved: string, original: string) => string)|null} [options.postCheck=null] + * @param {string[]} [options.remove=[]] — entity names (e.g. ['nbsp', '#13']) to delete (replace with empty string) + * @param {string[]} [options.leave=[]] — entity names to keep as literal (unchanged in output) + * @param {object} [options.ncr] — Numeric Character Reference controls + * @param {1.0|1.1} [options.ncr.xmlVersion=1.0] + * XML version governing which codepoint ranges are restricted: + * - 1.0 — C0 controls U+0001–U+001F (except U+0009/000A/000D) are prohibited + * - 1.1 — C0 controls are allowed when written as NCRs; C1 (U+007F–U+009F) decoded as-is + * @param {'allow'|'leave'|'remove'|'throw'} [options.ncr.onNCR='allow'] + * Base action for numeric references. Severity order: allow < leave < remove < throw. + * For codepoint ranges that carry a minimum level (surrogates → remove, XML 1.0 C0 → remove), + * the effective action is max(onNCR, rangeMinimum). + * @param {'remove'|'throw'} [options.ncr.nullNCR='remove'] + * Action for U+0000 (null). 'allow' and 'leave' are clamped to 'remove' since null is never safe. + */ + constructor(options = {}) { + this._limit = options.limit || {}; + this._maxTotalExpansions = this._limit.maxTotalExpansions || 0; + this._maxExpandedLength = this._limit.maxExpandedLength || 0; + this._postCheck = typeof options.postCheck === 'function' ? options.postCheck : r => r; + this._limitTiers = parseLimitTiers(this._limit.applyLimitsTo ?? LIMIT_TIER_EXTERNAL); + this._numericAllowed = options.numericAllowed ?? true; + // Base map: DEFAULT_XML_ENTITIES + user-supplied extras. Immutable after construction. + this._baseMap = mergeEntityMaps(XML, options.namedEntities || null); + + // Persistent external entities — survive across documents. + // Stored as a separate map so reset() never touches them. + /** @type {Record} */ + this._externalMap = Object.create(null); + + // Input / runtime entities — current document only, wiped on reset(). + /** @type {Record} */ + this._inputMap = Object.create(null); + + // Per-document counters + this._totalExpansions = 0; + this._expandedLength = 0; + + // --- New: remove / leave sets --- + /** @type {Set} */ + this._removeSet = new Set(options.remove && Array.isArray(options.remove) ? options.remove : []); + /** @type {Set} */ + this._leaveSet = new Set(options.leave && Array.isArray(options.leave) ? options.leave : []); + + // --- NCR config (parsed into flat fields for hot-path speed) --- + const ncrCfg = parseNCRConfig(options.ncr); + this._ncrXmlVersion = ncrCfg.xmlVersion; + this._ncrOnLevel = ncrCfg.onLevel; + this._ncrNullLevel = ncrCfg.nullLevel; + } + + // ------------------------------------------------------------------------- + // Persistent external entity registration + // ------------------------------------------------------------------------- + + /** + * Replace the full set of persistent external entities. + * All keys are validated — throws on invalid characters. + * @param {Record} map + */ + setExternalEntities(map) { + if (map) { + for (const key of Object.keys(map)) { + EntityDecoder_validateEntityName(key); + } + } + this._externalMap = mergeEntityMaps(map); + } + + /** + * Add a single persistent external entity. + * @param {string} key + * @param {string} value + */ + addExternalEntity(key, value) { + EntityDecoder_validateEntityName(key); + if (typeof value === 'string' && value.indexOf('&') === -1) { + this._externalMap[key] = value; + } + } + + // ------------------------------------------------------------------------- + // Input / runtime entity registration (per document) + // ------------------------------------------------------------------------- + + /** + * Inject DOCTYPE entities for the current document. + * Also resets per-document expansion counters. + * @param {Record} map + */ + addInputEntities(map) { + this._totalExpansions = 0; + this._expandedLength = 0; + this._inputMap = mergeEntityMaps(map); + } + + // ------------------------------------------------------------------------- + // Per-document reset + // ------------------------------------------------------------------------- + + /** + * Wipe input/runtime entities and reset counters. + * Call this before processing each new document. + * @returns {this} + */ + reset() { + this._inputMap = Object.create(null); + this._totalExpansions = 0; + this._expandedLength = 0; + return this; + } + + // ------------------------------------------------------------------------- + // XML version (can be set after construction, e.g. once parser reads ) + // ------------------------------------------------------------------------- + + /** + * Update the XML version used for NCR classification. + * Call this as soon as the document's `` declaration is parsed. + * @param {1.0|1.1|number} version + */ + setXmlVersion(version) { + this._ncrXmlVersion = version === 1.1 ? 1.1 : 1.0; + } + + // ------------------------------------------------------------------------- + // Primary API + // ------------------------------------------------------------------------- + + /** + * Replace all entity references in `str` in a single pass. + * + * @param {string} str + * @returns {string} + */ + decode(str) { + if (typeof str !== 'string' || str.length === 0) return str; + //TODO: check if needed + //if (str.indexOf('&') === -1) return str; // fast path — no entities at all + + const original = str; + const chunks = []; + const len = str.length; + let last = 0; // start of next unprocessed literal chunk + let i = 0; + + const limitExpansions = this._maxTotalExpansions > 0; + const limitLength = this._maxExpandedLength > 0; + const checkLimits = limitExpansions || limitLength; + + while (i < len) { + // Scan forward to next '&' + if (str.charCodeAt(i) !== 38 /* '&' */) { i++; continue; } + + // --- Found '&' at position i --- + + // Scan forward to ';' + let j = i + 1; + while (j < len && str.charCodeAt(j) !== 59 /* ';' */ && (j - i) <= 32) j++; + + if (j >= len || str.charCodeAt(j) !== 59) { + // No closing ';' within window — treat '&' as literal + i++; + continue; + } + + // Raw token between '&' and ';' (exclusive) + const token = str.slice(i + 1, j); + if (token.length === 0) { i++; continue; } + + let replacement; + let tier; // which limit tier this entity belongs to + + if (this._removeSet.has(token)) { + // Remove entity: replace with empty string + replacement = ''; + // If entity was unknown (replacement undefined), we still need a tier for limits. + // Treat as external tier because it's user-directed removal of an unknown reference. + if (tier === undefined) { + tier = LIMIT_TIER_EXTERNAL; + } + } else if (this._leaveSet.has(token)) { + // Do not replace — keep original &token; as literal + i++; + continue; + } else if (token.charCodeAt(0) === 35 /* '#' */) { + // ---- Numeric / NCR reference ---- + // NCR classification always runs first — prohibited codepoints must be + // caught regardless of numericAllowed. + const ncrResult = this._resolveNCR(token); + if (ncrResult === undefined) { + // 'leave' action — keep original &token; as-is + i++; + continue; + } + replacement = ncrResult; // '' for remove, char string for allow + tier = LIMIT_TIER_BASE; + } else { + // ---- Named reference ---- + const resolved = this._resolveName(token); + replacement = resolved?.value; + tier = resolved?.tier; + } + + if (replacement === undefined) { + // Unknown entity — leave as-is, advance past '&' only + i++; + continue; + } + + // Flush literal chunk before this entity + if (i > last) chunks.push(str.slice(last, i)); + chunks.push(replacement); + last = j + 1; // skip past ';' + i = last; + + // Apply expansion limits only if this tier is being tracked + if (checkLimits && this._tierCounts(tier)) { + if (limitExpansions) { + this._totalExpansions++; + if (this._totalExpansions > this._maxTotalExpansions) { + throw new Error( + `[EntityReplacer] Entity expansion count limit exceeded: ` + + `${this._totalExpansions} > ${this._maxTotalExpansions}` + ); + } + } + if (limitLength) { + // delta: replacement.length minus the raw &token; length (token.length + 2 for '&' and ';') + const delta = replacement.length - (token.length + 2); + if (delta > 0) { + this._expandedLength += delta; + if (this._expandedLength > this._maxExpandedLength) { + throw new Error( + `[EntityReplacer] Expanded content length limit exceeded: ` + + `${this._expandedLength} > ${this._maxExpandedLength}` + ); + } + } + } + } + } + + // Flush trailing literal + if (last < len) chunks.push(str.slice(last)); + + // If nothing was replaced, chunks is empty — return original + const result = chunks.length === 0 ? str : chunks.join(''); + + return this._postCheck(result, original); + } + + // ------------------------------------------------------------------------- + // Private: limit tier check + // ------------------------------------------------------------------------- + + /** + * Returns true if a resolved entity of the given tier should count + * against the expansion/length limits. + * @param {string} tier — LIMIT_TIER_EXTERNAL | LIMIT_TIER_BASE + * @returns {boolean} + */ + _tierCounts(tier) { + if (this._limitTiers.has(LIMIT_TIER_ALL)) return true; + return this._limitTiers.has(tier); + } + + // ------------------------------------------------------------------------- + // Private: entity resolution + // ------------------------------------------------------------------------- + + /** + * Resolve a named entity token (without & and ;). + * Priority: inputMap > externalMap > baseMap + * Returns the resolved value tagged with its limit tier. + * + * @param {string} name + * @returns {{ value: string, tier: string }|undefined} + */ + _resolveName(name) { + // input and external both count as 'external' tier for limit purposes — + // they are injected at runtime and are the untrusted surface. + if (name in this._inputMap) return { value: this._inputMap[name], tier: LIMIT_TIER_EXTERNAL }; + if (name in this._externalMap) return { value: this._externalMap[name], tier: LIMIT_TIER_EXTERNAL }; + if (name in this._baseMap) return { value: this._baseMap[name], tier: LIMIT_TIER_BASE }; + return undefined; + } + + /** + * Classify a codepoint and return the minimum action level that must be applied. + * Returns -1 when no minimum is imposed (normal allow path). + * + * Ranges checked (in priority order): + * 1. U+0000 — null, governed by nullNCR (always ≥ remove) + * 2. U+D800–U+DFFF — surrogates, always prohibited (min: remove) + * 3. U+0001–U+001F \ {0x09,0x0A,0x0D} — XML 1.0 restricted C0 (min: remove) + * (skipped in XML 1.1 — C0 controls are allowed when written as NCRs) + * + * @param {number} cp — codepoint + * @returns {number} — minimum NCR_LEVEL value, or -1 for no restriction + */ + _classifyNCR(cp) { + // 1. Null + if (cp === 0) return this._ncrNullLevel; + + // 2. Surrogates — always prohibited, minimum 'remove' + if (cp >= 0xD800 && cp <= 0xDFFF) return NCR_LEVEL.remove; + + // 3. XML 1.0 restricted C0 controls + if (this._ncrXmlVersion === 1.0) { + if (cp >= 0x01 && cp <= 0x1F && !XML10_ALLOWED_C0.has(cp)) return NCR_LEVEL.remove; + } + + return -1; // no restriction + } + + /** + * Execute a resolved NCR action. + * + * @param {number} action — NCR_LEVEL value + * @param {string} token — raw token (e.g. '#38') for error messages + * @param {number} cp — codepoint, used only for error messages + * @returns {string|undefined} + * - decoded character string → 'allow' + * - '' → 'remove' + * - undefined → 'leave' (caller must skip past '&' only) + * - throws Error → 'throw' + */ + _applyNCRAction(action, token, cp) { + switch (action) { + case NCR_LEVEL.allow: return String.fromCodePoint(cp); + case NCR_LEVEL.remove: return ''; + case NCR_LEVEL.leave: return undefined; // signal: keep literal + case NCR_LEVEL.throw: + throw new Error( + `[EntityDecoder] Prohibited numeric character reference ` + + `&${token}; (U+${cp.toString(16).toUpperCase().padStart(4, '0')})` + ); + default: return String.fromCodePoint(cp); + } + } + + /** + * Full NCR resolution pipeline for a numeric token. + * + * Steps: + * 1. Parse the codepoint (decimal or hex). + * 2. Validate the raw codepoint range (NaN, <0, >0x10FFFF). + * 3. If numericAllowed is false and no minimum restriction applies → leave as-is. + * 4. Classify the codepoint to find the minimum required action level. + * 5. Resolve effective action = max(onNCR, minimum). + * 6. Apply and return. + * + * @param {string} token — e.g. '#38', '#x26', '#X26' + * @returns {string|undefined} + * - string (incl. '') — replacement ('' = remove) + * - undefined — leave original &token; as-is + */ + _resolveNCR(token) { + // Step 1: parse codepoint + const second = token.charCodeAt(1); + let cp; + if (second === 120 /* x */ || second === 88 /* X */) { + cp = parseInt(token.slice(2), 16); + } else { + cp = parseInt(token.slice(1), 10); + } + + // Step 2: out-of-range → leave as-is unconditionally + if (Number.isNaN(cp) || cp < 0 || cp > 0x10FFFF) return undefined; + + // Step 3: classify to get minimum action level + const minimum = this._classifyNCR(cp); + + // Step 4: if numericAllowed is false and no hard minimum → leave + if (!this._numericAllowed && minimum < NCR_LEVEL.remove) return undefined; + + // Step 5: effective action = max(configured onNCR, range minimum) + const effective = minimum === -1 + ? this._ncrOnLevel + : Math.max(this._ncrOnLevel, minimum); + + // Step 6: apply + return this._applyNCRAction(effective, token, cp); + } +} ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OrderedObjParser.js ///@ts-check @@ -217148,6 +219178,8 @@ function ignoreAttributes_getIgnoreAttributesFn(ignoreAttributes) { + + // const regx = // '<((!\\[CDATA\\[([\\s\\S]*?)(]]>))|((NAME:)?(NAME))([^>]*)>|((\\/)(NAME)\\s*>))([^<]*)' // .replace(/NAME/g, util.nameRegexp); @@ -217207,36 +219239,10 @@ function extractNamespace(rawTagName) { } class OrderedObjParser { - constructor(options) { + constructor(options, externalEntities) { this.options = options; this.currentNode = null; this.tagsNodeStack = []; - this.docTypeEntities = {}; - this.lastEntities = { - "apos": { regex: /&(apos|#39|#x27);/g, val: "'" }, - "gt": { regex: /&(gt|#62|#x3E);/g, val: ">" }, - "lt": { regex: /&(lt|#60|#x3C);/g, val: "<" }, - "quot": { regex: /&(quot|#34|#x22);/g, val: "\"" }, - }; - this.ampEntity = { regex: /&(amp|#38|#x26);/g, val: "&" }; - this.htmlEntities = { - "space": { regex: /&(nbsp|#160);/g, val: " " }, - // "lt" : { regex: /&(lt|#60);/g, val: "<" }, - // "gt" : { regex: /&(gt|#62);/g, val: ">" }, - // "amp" : { regex: /&(amp|#38);/g, val: "&" }, - // "quot" : { regex: /&(quot|#34);/g, val: "\"" }, - // "apos" : { regex: /&(apos|#39);/g, val: "'" }, - "cent": { regex: /&(cent|#162);/g, val: "¢" }, - "pound": { regex: /&(pound|#163);/g, val: "£" }, - "yen": { regex: /&(yen|#165);/g, val: "¥" }, - "euro": { regex: /&(euro|#8364);/g, val: "€" }, - "copyright": { regex: /&(copy|#169);/g, val: "©" }, - "reg": { regex: /&(reg|#174);/g, val: "®" }, - "inr": { regex: /&(inr|#8377);/g, val: "₹" }, - "num_dec": { regex: /&#([0-9]{1,7});/g, val: (_, str) => fromCodePoint(str, 10, "&#") }, - "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val: (_, str) => fromCodePoint(str, 16, "&#x") }, - }; - this.addExternalEntities = addExternalEntities; this.parseXml = parseXml; this.parseTextData = parseTextData; this.resolveNameSpace = resolveNameSpace; @@ -217249,6 +219255,23 @@ class OrderedObjParser { this.ignoreAttributesFn = ignoreAttributes_getIgnoreAttributesFn(this.options.ignoreAttributes) this.entityExpansionCount = 0; this.currentExpandedLength = 0; + let namedEntities = { ...XML }; + if (this.options.entityDecoder) { + this.entityDecoder = this.options.entityDecoder + } else { + if (typeof this.options.htmlEntities === "object") namedEntities = this.options.htmlEntities; + else if (this.options.htmlEntities === true) namedEntities = { ...COMMON_HTML, ...CURRENCY }; + this.entityDecoder = new EntityDecoder({ + namedEntities: { ...namedEntities, ...externalEntities }, + numericAllowed: this.options.htmlEntities, + limit: { + maxTotalExpansions: this.options.processEntities.maxTotalExpansions, + maxExpandedLength: this.options.processEntities.maxExpandedLength, + applyLimitsTo: this.options.processEntities.appliesTo, + } + //postCheck: resolved => resolved + }); + } // Initialize path matcher for path-expression-matcher this.matcher = new Matcher(); @@ -217261,34 +219284,25 @@ class OrderedObjParser { this.isCurrentNodeStopNode = false; // Pre-compile stopNodes expressions - if (this.options.stopNodes && this.options.stopNodes.length > 0) { - this.stopNodeExpressions = []; - for (let i = 0; i < this.options.stopNodes.length; i++) { - const stopNodeExp = this.options.stopNodes[i]; + this.stopNodeExpressionsSet = new ExpressionSet(); + const stopNodesOpts = this.options.stopNodes; + if (stopNodesOpts && stopNodesOpts.length > 0) { + for (let i = 0; i < stopNodesOpts.length; i++) { + const stopNodeExp = stopNodesOpts[i]; if (typeof stopNodeExp === 'string') { // Convert string to Expression object - this.stopNodeExpressions.push(new Expression(stopNodeExp)); + this.stopNodeExpressionsSet.add(new Expression(stopNodeExp)); } else if (stopNodeExp instanceof Expression) { // Already an Expression object - this.stopNodeExpressions.push(stopNodeExp); + this.stopNodeExpressionsSet.add(stopNodeExp); } } + this.stopNodeExpressionsSet.seal(); } } } -function addExternalEntities(externalEntities) { - const entKeys = Object.keys(externalEntities); - for (let i = 0; i < entKeys.length; i++) { - const ent = entKeys[i]; - const escaped = ent.replace(/[.\-+*:]/g, '\\.'); - this.lastEntities[ent] = { - regex: new RegExp("&" + escaped + ";", "g"), - val: externalEntities[ent] - } - } -} /** * @param {string} val @@ -217300,28 +219314,29 @@ function addExternalEntities(externalEntities) { * @param {boolean} escapeEntities */ function parseTextData(val, tagName, jPath, dontTrim, hasAttributes, isLeafNode, escapeEntities) { + const options = this.options; if (val !== undefined) { - if (this.options.trimValues && !dontTrim) { + if (options.trimValues && !dontTrim) { val = val.trim(); } if (val.length > 0) { if (!escapeEntities) val = this.replaceEntitiesValue(val, tagName, jPath); // Pass jPath string or matcher based on options.jPath setting - const jPathOrMatcher = this.options.jPath ? jPath.toString() : jPath; - const newval = this.options.tagValueProcessor(tagName, val, jPathOrMatcher, hasAttributes, isLeafNode); + const jPathOrMatcher = options.jPath ? jPath.toString() : jPath; + const newval = options.tagValueProcessor(tagName, val, jPathOrMatcher, hasAttributes, isLeafNode); if (newval === null || newval === undefined) { //don't parse return val; } else if (typeof newval !== typeof val || newval !== val) { //overwrite return newval; - } else if (this.options.trimValues) { - return OrderedObjParser_parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + } else if (options.trimValues) { + return OrderedObjParser_parseValue(val, options.parseTagValue, options.numberParseOptions); } else { const trimmedVal = val.trim(); if (trimmedVal === val) { - return OrderedObjParser_parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + return OrderedObjParser_parseValue(val, options.parseTagValue, options.numberParseOptions); } else { return val; } @@ -217348,8 +219363,9 @@ function resolveNameSpace(tagname) { //const attrsRegx = new RegExp("([\\w\\-\\.\\:]+)\\s*=\\s*(['\"])((.|\n)*?)\\2","gm"); const attrsRegx = new RegExp('([^\\s=]+)\\s*(=\\s*([\'"])([\\s\\S]*?)\\3)?', 'gm'); -function buildAttributesMap(attrStr, jPath, tagName) { - if (this.options.ignoreAttributes !== true && typeof attrStr === 'string') { +function buildAttributesMap(attrStr, jPath, tagName, force = false) { + const options = this.options; + if (force === true || (options.ignoreAttributes !== true && typeof attrStr === 'string')) { // attrStr = attrStr.replace(/\r?\n/g, ' '); //attrStr = attrStr || attrStr.trim(); @@ -217357,89 +219373,80 @@ function buildAttributesMap(attrStr, jPath, tagName) { const len = matches.length; //don't make it inline const attrs = {}; - // First pass: parse all attributes and update matcher with raw values - // This ensures the matcher has all attribute values when processors run + // Pre-process values once: trim + entity replacement + // Reused in both matcher update and second pass + const processedVals = new Array(len); + let hasRawAttrs = false; const rawAttrsForMatcher = {}; + for (let i = 0; i < len; i++) { const attrName = this.resolveNameSpace(matches[i][1]); const oldVal = matches[i][4]; if (attrName.length && oldVal !== undefined) { - let parsedVal = oldVal; - if (this.options.trimValues) { - parsedVal = parsedVal.trim(); - } - parsedVal = this.replaceEntitiesValue(parsedVal, tagName, this.readonlyMatcher); - rawAttrsForMatcher[attrName] = parsedVal; + let val = oldVal; + if (options.trimValues) val = val.trim(); + val = this.replaceEntitiesValue(val, tagName, this.readonlyMatcher); + processedVals[i] = val; + + rawAttrsForMatcher[attrName] = val; + hasRawAttrs = true; } } - // Update matcher with raw attribute values BEFORE running processors - if (Object.keys(rawAttrsForMatcher).length > 0 && typeof jPath === 'object' && jPath.updateCurrent) { + // Update matcher ONCE before second pass, if applicable + if (hasRawAttrs && typeof jPath === 'object' && jPath.updateCurrent) { jPath.updateCurrent(rawAttrsForMatcher); } - // Second pass: now process attributes with matcher having full attribute context + // Hoist toString() once — path doesn't change during attribute processing + const jPathStr = options.jPath ? jPath.toString() : this.readonlyMatcher; + + // Second pass: apply processors, build final attrs + let hasAttrs = false; for (let i = 0; i < len; i++) { const attrName = this.resolveNameSpace(matches[i][1]); - // Convert jPath to string if needed for ignoreAttributesFn - const jPathStr = this.options.jPath ? jPath.toString() : this.readonlyMatcher; - if (this.ignoreAttributesFn(attrName, jPathStr)) { - continue - } + if (this.ignoreAttributesFn(attrName, jPathStr)) continue; - let oldVal = matches[i][4]; - let aName = this.options.attributeNamePrefix + attrName; + let aName = options.attributeNamePrefix + attrName; if (attrName.length) { - if (this.options.transformAttributeName) { - aName = this.options.transformAttributeName(aName); + if (options.transformAttributeName) { + aName = options.transformAttributeName(aName); } - //if (aName === "__proto__") aName = "#__proto__"; - aName = sanitizeName(aName, this.options); + aName = sanitizeName(aName, options); - if (oldVal !== undefined) { - if (this.options.trimValues) { - oldVal = oldVal.trim(); - } - oldVal = this.replaceEntitiesValue(oldVal, tagName, this.readonlyMatcher); + if (matches[i][4] !== undefined) { + // Reuse already-processed value — no double entity replacement + const oldVal = processedVals[i]; - // Pass jPath string or readonlyMatcher based on options.jPath setting - const jPathOrMatcher = this.options.jPath ? jPath.toString() : this.readonlyMatcher; - const newVal = this.options.attributeValueProcessor(attrName, oldVal, jPathOrMatcher); + const newVal = options.attributeValueProcessor(attrName, oldVal, jPathStr); if (newVal === null || newVal === undefined) { - //don't parse attrs[aName] = oldVal; } else if (typeof newVal !== typeof oldVal || newVal !== oldVal) { - //overwrite attrs[aName] = newVal; } else { - //parse - attrs[aName] = OrderedObjParser_parseValue( - oldVal, - this.options.parseAttributeValue, - this.options.numberParseOptions - ); + attrs[aName] = OrderedObjParser_parseValue(oldVal, options.parseAttributeValue, options.numberParseOptions); } - } else if (this.options.allowBooleanAttributes) { + hasAttrs = true; + } else if (options.allowBooleanAttributes) { attrs[aName] = true; + hasAttrs = true; } } } - if (!Object.keys(attrs).length) { - return; - } - if (this.options.attributesGroupName) { + if (!hasAttrs) return; + + if (options.attributesGroupName && !options.preserveOrder) { const attrCollection = {}; - attrCollection[this.options.attributesGroupName] = attrs; + attrCollection[options.attributesGroupName] = attrs; return attrCollection; } - return attrs + return attrs; } } - const parseXml = function (xmlData) { xmlData = xmlData.replace(/\r\n?/g, "\n"); //TODO: remove this line const xmlObj = new XmlNode('!xml'); @@ -217448,29 +219455,32 @@ const parseXml = function (xmlData) { // Reset matcher for new document this.matcher.reset(); + this.entityDecoder.reset(); // Reset entity expansion counters for this document this.entityExpansionCount = 0; this.currentExpandedLength = 0; - - const docTypeReader = new DocTypeReader(this.options.processEntities); - for (let i = 0; i < xmlData.length; i++) {//for each char in XML data + const options = this.options; + const docTypeReader = new DocTypeReader(options.processEntities); + const xmlLen = xmlData.length; + for (let i = 0; i < xmlLen; i++) {//for each char in XML data const ch = xmlData[i]; if (ch === '<') { // const nextIndex = i+1; // const _2ndChar = xmlData[nextIndex]; - if (xmlData[i + 1] === '/') {//Closing Tag + const c1 = xmlData.charCodeAt(i + 1); + if (c1 === 47) {//Closing Tag '/' const closeIndex = findClosingIndex(xmlData, ">", i, "Closing Tag is not closed.") let tagName = xmlData.substring(i + 2, closeIndex).trim(); - if (this.options.removeNSPrefix) { + if (options.removeNSPrefix) { const colonIndex = tagName.indexOf(":"); if (colonIndex !== -1) { tagName = tagName.substr(colonIndex + 1); } } - tagName = transformTagName(this.options.transformTagName, tagName, "", this.options).tagName; + tagName = transformTagName(options.transformTagName, tagName, "", options).tagName; if (currentNode) { textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); @@ -217478,10 +219488,10 @@ const parseXml = function (xmlData) { //check if last tag of nested tag was unpaired tag const lastTagName = this.matcher.getCurrentTag(); - if (tagName && this.options.unpairedTags.indexOf(tagName) !== -1) { + if (tagName && options.unpairedTagsSet.has(tagName)) { throw new Error(`Unpaired tag can not be used as closing tag: `); } - if (lastTagName && this.options.unpairedTags.indexOf(lastTagName) !== -1) { + if (lastTagName && options.unpairedTagsSet.has(lastTagName)) { // Pop the unpaired tag this.matcher.pop(); this.tagsNodeStack.pop(); @@ -217493,42 +219503,51 @@ const parseXml = function (xmlData) { currentNode = this.tagsNodeStack.pop();//avoid recursion, set the parent tag scope textData = ""; i = closeIndex; - } else if (xmlData[i + 1] === '?') { + } else if (c1 === 63) { //'?' let tagData = readTagExp(xmlData, i, false, "?>"); if (!tagData) throw new Error("Pi Tag is not closed."); textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); - if ((this.options.ignoreDeclaration && tagData.tagName === "?xml") || this.options.ignorePiTags) { + const attsMap = this.buildAttributesMap(tagData.tagExp, this.matcher, tagData.tagName, true); + if (attsMap) { + const ver = attsMap[this.options.attributeNamePrefix + "version"]; + this.entityDecoder.setXmlVersion(Number(ver) || 1.0); + } + if ((options.ignoreDeclaration && tagData.tagName === "?xml") || options.ignorePiTags) { //do nothing } else { const childNode = new XmlNode(tagData.tagName); - childNode.add(this.options.textNodeName, ""); + childNode.add(options.textNodeName, ""); - if (tagData.tagName !== tagData.tagExp && tagData.attrExpPresent) { - childNode[":@"] = this.buildAttributesMap(tagData.tagExp, this.matcher, tagData.tagName); + if (tagData.tagName !== tagData.tagExp && tagData.attrExpPresent && options.ignoreAttributes !== true) { + childNode[":@"] = attsMap } this.addChild(currentNode, childNode, this.readonlyMatcher, i); } i = tagData.closeIndex + 1; - } else if (xmlData.substr(i + 1, 3) === '!--') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 45 + && xmlData.charCodeAt(i + 3) === 45) { //'!--' const endIndex = findClosingIndex(xmlData, "-->", i + 4, "Comment is not closed.") - if (this.options.commentPropName) { + if (options.commentPropName) { const comment = xmlData.substring(i + 4, endIndex - 2); textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); - currentNode.add(this.options.commentPropName, [{ [this.options.textNodeName]: comment }]); + currentNode.add(options.commentPropName, [{ [options.textNodeName]: comment }]); } i = endIndex; - } else if (xmlData.substr(i + 1, 2) === '!D') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 68) { //'!D' const result = docTypeReader.readDocType(xmlData, i); - this.docTypeEntities = result.entities; + this.entityDecoder.addInputEntities(result.entities); i = result.i; - } else if (xmlData.substr(i + 1, 2) === '![') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 91) { // '![' const closeIndex = findClosingIndex(xmlData, "]]>", i, "CDATA is not closed.") - 2; const tagExp = xmlData.substring(i + 9, closeIndex); @@ -217538,20 +219557,20 @@ const parseXml = function (xmlData) { if (val == undefined) val = ""; //cdata should be set even if it is 0 length string - if (this.options.cdataPropName) { - currentNode.add(this.options.cdataPropName, [{ [this.options.textNodeName]: tagExp }]); + if (options.cdataPropName) { + currentNode.add(options.cdataPropName, [{ [options.textNodeName]: tagExp }]); } else { - currentNode.add(this.options.textNodeName, val); + currentNode.add(options.textNodeName, val); } i = closeIndex + 2; } else {//Opening tag - let result = readTagExp(xmlData, i, this.options.removeNSPrefix); + let result = readTagExp(xmlData, i, options.removeNSPrefix); // Safety check: readTagExp can return undefined if (!result) { // Log context for debugging - const context = xmlData.substring(Math.max(0, i - 50), Math.min(xmlData.length, i + 50)); + const context = xmlData.substring(Math.max(0, i - 50), Math.min(xmlLen, i + 50)); throw new Error(`readTagExp returned undefined at position ${i}. Context: "${context}"`); } @@ -217561,13 +219580,13 @@ const parseXml = function (xmlData) { let attrExpPresent = result.attrExpPresent; let closeIndex = result.closeIndex; - ({ tagName, tagExp } = transformTagName(this.options.transformTagName, tagName, tagExp, this.options)); + ({ tagName, tagExp } = transformTagName(options.transformTagName, tagName, tagExp, options)); - if (this.options.strictReservedNames && - (tagName === this.options.commentPropName - || tagName === this.options.cdataPropName - || tagName === this.options.textNodeName - || tagName === this.options.attributesGroupName + if (options.strictReservedNames && + (tagName === options.commentPropName + || tagName === options.cdataPropName + || tagName === options.textNodeName + || tagName === options.attributesGroupName )) { throw new Error(`Invalid tag name: ${tagName}`); } @@ -217582,7 +219601,7 @@ const parseXml = function (xmlData) { //check if last tag was unpaired tag const lastTag = currentNode; - if (lastTag && this.options.unpairedTags.indexOf(lastTag.tagname) !== -1) { + if (lastTag && options.unpairedTagsSet.has(lastTag.tagname)) { currentNode = this.tagsNodeStack.pop(); this.matcher.pop(); } @@ -217624,13 +219643,14 @@ const parseXml = function (xmlData) { if (prefixedAttrs) { // Extract raw attributes (without prefix) for our use - rawAttrs = extractRawAttributes(prefixedAttrs, this.options); + //TODO: seems a performance overhead + rawAttrs = extractRawAttributes(prefixedAttrs, options); } } // Now check if this is a stop node (after attributes are set) if (tagName !== xmlObj.tagname) { - this.isCurrentNodeStopNode = this.isItStopNode(this.stopNodeExpressions, this.matcher); + this.isCurrentNodeStopNode = this.isItStopNode(); } const startIndex = i; @@ -217642,7 +219662,7 @@ const parseXml = function (xmlData) { i = result.closeIndex; } //unpaired tag - else if (this.options.unpairedTags.indexOf(tagName) !== -1) { + else if (options.unpairedTagsSet.has(tagName)) { i = result.closeIndex; } //normal tag @@ -217661,7 +219681,7 @@ const parseXml = function (xmlData) { } // For stop nodes, store raw content as-is without any processing - childNode.add(this.options.textNodeName, tagContent); + childNode.add(options.textNodeName, tagContent); this.matcher.pop(); // Pop the stop node tag this.isCurrentNodeStopNode = false; // Reset flag @@ -217670,7 +219690,7 @@ const parseXml = function (xmlData) { } else { //selfClosing tag if (isSelfClosing) { - ({ tagName, tagExp } = transformTagName(this.options.transformTagName, tagName, tagExp, this.options)); + ({ tagName, tagExp } = transformTagName(options.transformTagName, tagName, tagExp, options)); const childNode = new XmlNode(tagName); if (prefixedAttrs) { @@ -217680,7 +219700,7 @@ const parseXml = function (xmlData) { this.matcher.pop(); // Pop self-closing tag this.isCurrentNodeStopNode = false; // Reset flag } - else if (this.options.unpairedTags.indexOf(tagName) !== -1) {//unpaired tag + else if (options.unpairedTagsSet.has(tagName)) {//unpaired tag const childNode = new XmlNode(tagName); if (prefixedAttrs) { childNode[":@"] = prefixedAttrs; @@ -217695,7 +219715,7 @@ const parseXml = function (xmlData) { //opening tag else { const childNode = new XmlNode(tagName); - if (this.tagsNodeStack.length > this.options.maxNestedTags) { + if (this.tagsNodeStack.length > options.maxNestedTags) { throw new Error("Maximum nested tags exceeded"); } this.tagsNodeStack.push(currentNode); @@ -217766,79 +219786,7 @@ function OrderedObjParser_replaceEntitiesValue(val, tagName, jPath) { } } - // Replace DOCTYPE entities - for (const entityName of Object.keys(this.docTypeEntities)) { - const entity = this.docTypeEntities[entityName]; - const matches = val.match(entity.regx); - - if (matches) { - // Track expansions - this.entityExpansionCount += matches.length; - - // Check expansion limit - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - - // Store length before replacement - const lengthBefore = val.length; - val = val.replace(entity.regx, entity.val); - - // Check expanded length immediately after replacement - if (entityConfig.maxExpandedLength) { - this.currentExpandedLength += (val.length - lengthBefore); - - if (this.currentExpandedLength > entityConfig.maxExpandedLength) { - throw new Error( - `Total expanded content size exceeded: ${this.currentExpandedLength} > ${entityConfig.maxExpandedLength}` - ); - } - } - } - } - // Replace standard entities - for (const entityName of Object.keys(this.lastEntities)) { - const entity = this.lastEntities[entityName]; - const matches = val.match(entity.regex); - if (matches) { - this.entityExpansionCount += matches.length; - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - } - val = val.replace(entity.regex, entity.val); - } - if (val.indexOf('&') === -1) return val; - - // Replace HTML entities if enabled - if (this.options.htmlEntities) { - for (const entityName of Object.keys(this.htmlEntities)) { - const entity = this.htmlEntities[entityName]; - const matches = val.match(entity.regex); - if (matches) { - //console.log(matches); - this.entityExpansionCount += matches.length; - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - } - val = val.replace(entity.regex, entity.val); - } - } - - // Replace ampersand entity last - val = val.replace(this.ampEntity.regex, this.ampEntity.val); - - return val; + return this.entityDecoder.decode(val); } @@ -217860,20 +219808,14 @@ function saveTextToParentTag(textData, parentNode, matcher, isLeafNode) { return textData; } -//TODO: use jPath to simplify the logic /** * @param {Array} stopNodeExpressions - Array of compiled Expression objects * @param {Matcher} matcher - Current path matcher */ -function isItStopNode(stopNodeExpressions, matcher) { - if (!stopNodeExpressions || stopNodeExpressions.length === 0) return false; +function isItStopNode() { + if (this.stopNodeExpressionsSet.size === 0) return false; - for (let i = 0; i < stopNodeExpressions.length; i++) { - if (matcher.matches(stopNodeExpressions[i])) { - return true; - } - } - return false; + return this.matcher.matchesAny(this.stopNodeExpressionsSet); } /** @@ -217883,32 +219825,38 @@ function isItStopNode(stopNodeExpressions, matcher) { * @returns */ function tagExpWithClosingIndex(xmlData, i, closingChar = ">") { - let attrBoundary; - let tagExp = ""; - for (let index = i; index < xmlData.length; index++) { - let ch = xmlData[index]; + //TODO: ignore boolean attributes in tag expression + //TODO: if ignore attributes, dont read full attribute expression but the end. But read for xml declaration + let attrBoundary = 0; + const len = xmlData.length; + const closeCode0 = closingChar.charCodeAt(0); + const closeCode1 = closingChar.length > 1 ? closingChar.charCodeAt(1) : -1; + + let result = ''; + let segmentStart = i; + + for (let index = i; index < len; index++) { + const code = xmlData.charCodeAt(index); + if (attrBoundary) { - if (ch === attrBoundary) attrBoundary = "";//reset - } else if (ch === '"' || ch === "'") { - attrBoundary = ch; - } else if (ch === closingChar[0]) { - if (closingChar[1]) { - if (xmlData[index + 1] === closingChar[1]) { - return { - data: tagExp, - index: index - } + if (code === attrBoundary) attrBoundary = 0; + } else if (code === 34 || code === 39) { // " or ' + attrBoundary = code; + } else if (code === closeCode0) { + if (closeCode1 !== -1) { + if (xmlData.charCodeAt(index + 1) === closeCode1) { + result += xmlData.substring(segmentStart, index); + return { data: result, index }; } } else { - return { - data: tagExp, - index: index - } + result += xmlData.substring(segmentStart, index); + return { data: result, index }; } - } else if (ch === '\t') { - ch = " " + } else if (code === 9 && !attrBoundary) { // \t - only replace with space outside attribute values + // Flush accumulated segment, add space, start new segment + result += xmlData.substring(segmentStart, index) + ' '; + segmentStart = index + 1; } - tagExp += ch; } } @@ -217921,6 +219869,12 @@ function findClosingIndex(xmlData, str, i, errMsg) { } } +function findClosingChar(xmlData, char, i, errMsg) { + const closingIndex = xmlData.indexOf(char, i); + if (closingIndex === -1) throw new Error(errMsg); + return closingIndex; // no offset needed +} + function readTagExp(xmlData, i, removeNSPrefix, closingChar = ">") { const result = tagExpWithClosingIndex(xmlData, i + 1, closingChar); if (!result) return; @@ -217962,10 +219916,12 @@ function readStopNodeData(xmlData, tagName, i) { // Starting at 1 since we already have an open tag let openTagCount = 1; - for (; i < xmlData.length; i++) { + const xmllen = xmlData.length; + for (; i < xmllen; i++) { if (xmlData[i] === "<") { - if (xmlData[i + 1] === "/") {//close tag - const closeIndex = findClosingIndex(xmlData, ">", i, `${tagName} is not closed`); + const c1 = xmlData.charCodeAt(i + 1); + if (c1 === 47) {//close tag '/' + const closeIndex = findClosingChar(xmlData, ">", i, `${tagName} is not closed`); let closeTagName = xmlData.substring(i + 2, closeIndex).trim(); if (closeTagName === tagName) { openTagCount--; @@ -217977,13 +219933,16 @@ function readStopNodeData(xmlData, tagName, i) { } } i = closeIndex; - } else if (xmlData[i + 1] === '?') { + } else if (c1 === 63) { //? const closeIndex = findClosingIndex(xmlData, "?>", i + 1, "StopNode is not closed.") i = closeIndex; - } else if (xmlData.substr(i + 1, 3) === '!--') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 45 + && xmlData.charCodeAt(i + 3) === 45) { // '!--' const closeIndex = findClosingIndex(xmlData, "-->", i + 3, "StopNode is not closed.") i = closeIndex; - } else if (xmlData.substr(i + 1, 2) === '![') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 91) { // '![' const closeIndex = findClosingIndex(xmlData, "]]>", i, "StopNode is not closed.") - 2; i = closeIndex; } else { @@ -218257,8 +220216,8 @@ class XMLParser { throw Error(`${result.err.msg}:${result.err.line}:${result.err.col}`) } } - const orderedObjParser = new OrderedObjParser(this.options); - orderedObjParser.addExternalEntities(this.externalEntities); + const orderedObjParser = new OrderedObjParser(this.options, this.externalEntities); + // orderedObjParser.entityDecoder.setExternalEntities(this.externalEntities); const orderedResult = orderedObjParser.parseXml(xmlData); if (this.options.preserveOrder || orderedResult === undefined) return orderedResult; else return prettify(orderedResult, this.options, orderedObjParser.matcher, orderedObjParser.readonlyMatcher); From fb90f32c878fe3a40aece60c9540beaae50bd73c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 00:15:28 +0000 Subject: [PATCH 2/3] fix: apply audit fixes --- dist/save/index.js | 2861 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 2410 insertions(+), 451 deletions(-) diff --git a/dist/save/index.js b/dist/save/index.js index c80d56b..92e8763 100644 --- a/dist/save/index.js +++ b/dist/save/index.js @@ -199488,7 +199488,7 @@ module.exports = axios; /***/ 74577: /***/ ((module) => { -(()=>{"use strict";var t={d:(e,i)=>{for(var n in i)t.o(i,n)&&!t.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:i[n]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>$t,XMLParser:()=>gt,XMLValidator:()=>It});const i=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",n=new RegExp("^["+i+"]["+i+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function s(t,e){const i=[];let n=e.exec(t);for(;n;){const s=[];s.startIndex=e.lastIndex-n[0].length;const r=n.length;for(let t=0;t"!==t[r]&&" "!==t[r]&&"\t"!==t[r]&&"\n"!==t[r]&&"\r"!==t[r];r++)h+=t[r];if(h=h.trim(),"/"===h[h.length-1]&&(h=h.substring(0,h.length-1),r--),!y(h)){let e;return e=0===h.trim().length?"Invalid space after '<'.":"Tag '"+h+"' is an invalid name.",b("InvalidTag",e,w(t,r))}const l=g(t,r);if(!1===l)return b("InvalidAttr","Attributes for '"+h+"' have open quote.",w(t,r));let d=l.value;if(r=l.index,"/"===d[d.length-1]){const i=r-d.length;d=d.substring(0,d.length-1);const s=x(d,e);if(!0!==s)return b(s.err.code,s.err.msg,w(t,i+s.err.line));n=!0}else if(a){if(!l.tagClosed)return b("InvalidTag","Closing tag '"+h+"' doesn't have proper closing.",w(t,r));if(d.trim().length>0)return b("InvalidTag","Closing tag '"+h+"' can't have attributes or invalid starting.",w(t,o));if(0===i.length)return b("InvalidTag","Closing tag '"+h+"' has not been opened.",w(t,o));{const e=i.pop();if(h!==e.tagName){let i=w(t,e.tagStartPos);return b("InvalidTag","Expected closing tag '"+e.tagName+"' (opened in line "+i.line+", col "+i.col+") instead of closing tag '"+h+"'.",w(t,o))}0==i.length&&(s=!0)}}else{const a=x(d,e);if(!0!==a)return b(a.err.code,a.err.msg,w(t,r-d.length+a.err.line));if(!0===s)return b("InvalidXml","Multiple possible root nodes found.",w(t,r));-1!==e.unpairedTags.indexOf(h)||i.push({tagName:h,tagStartPos:o}),n=!0}for(r++;r0)||b("InvalidXml","Invalid '"+JSON.stringify(i.map(t=>t.tagName),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):b("InvalidXml","Start tag expected.",1)}function p(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function u(t,e){const i=e;for(;e5&&"xml"===n)return b("InvalidXml","XML declaration allowed only at the start of the document.",w(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}continue}return e}function c(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){let i=1;for(e+=8;e"===t[e]&&(i--,0===i))break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}const d='"',f="'";function g(t,e){let i="",n="",s=!1;for(;e"===t[e]&&""===n){s=!0;break}i+=t[e]}return""===n&&{value:i,index:e,tagClosed:s}}const m=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function x(t,e){const i=s(t,m),n={};for(let t=0;to.includes(t)?"__"+t:t,P={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:()=>!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,i){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:T};function S(t,e){if("string"!=typeof t)return;const i=t.toLowerCase();if(o.some(t=>i===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);if(a.some(t=>i===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`)}function A(t){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:10,maxTotalExpansions:1e3,maxExpandedLength:1e5,maxEntityCount:100,allowedTags:null,tagFilter:null}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,t.maxEntitySize??1e4),maxExpansionDepth:Math.max(1,t.maxExpansionDepth??10),maxTotalExpansions:Math.max(1,t.maxTotalExpansions??1e3),maxExpandedLength:Math.max(1,t.maxExpandedLength??1e5),maxEntityCount:Math.max(1,t.maxEntityCount??100),allowedTags:t.allowedTags??null,tagFilter:t.tagFilter??null}:A(!0)}const O=function(t){const e=Object.assign({},P,t),i=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];for(const{value:t,name:e}of i)t&&S(t,e);return null===e.onDangerousProperty&&(e.onDangerousProperty=T),e.processEntities=A(e.processEntities),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),e};let C;C="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");class ${constructor(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}add(t,e){"__proto__"===t&&(t="#__proto__"),this.child.push({[t]:e})}addChild(t,e){"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push({[t.tagname]:t.child,":@":t[":@"]}):this.child.push({[t.tagname]:t.child}),void 0!==e&&(this.child[this.child.length-1][C]={startIndex:e})}static getMetaDataSymbol(){return C}}class I{constructor(t){this.suppressValidationErr=!t,this.options=t}readDocType(t,e){const i=Object.create(null);let n=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");{e+=9;let s=1,r=!1,o=!1,a="";for(;e"===t[e]){if(o?"-"===t[e-1]&&"-"===t[e-2]&&(o=!1,s--):s--,0===s)break}else"["===t[e]?r=!0:a+=t[e];else{if(r&&M(t,"!ENTITY",e)){let s,r;if(e+=7,[s,r,e]=this.readEntityExp(t,e+1,this.suppressValidationErr),-1===r.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&n>=this.options.maxEntityCount)throw new Error(`Entity count (${n+1}) exceeds maximum allowed (${this.options.maxEntityCount})`);const t=s.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");i[s]={regx:RegExp(`&${t};`,"g"),val:r},n++}}else if(r&&M(t,"!ELEMENT",e)){e+=8;const{index:i}=this.readElementExp(t,e+1);e=i}else if(r&&M(t,"!ATTLIST",e))e+=8;else if(r&&M(t,"!NOTATION",e)){e+=9;const{index:i}=this.readNotationExp(t,e+1,this.suppressValidationErr);e=i}else{if(!M(t,"!--",e))throw new Error("Invalid DOCTYPE");o=!0}s++,a=""}if(0!==s)throw new Error("Unclosed DOCTYPE")}return{entities:i,i:e}}readEntityExp(t,e){const i=e=j(t,e);for(;ethis.options.maxEntitySize)throw new Error(`Entity "${n}" size (${s.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);return[n,s,--e]}readNotationExp(t,e){const i=e=j(t,e);for(;e{for(;e0&&(this.path[this.path.length-1].values=void 0);const n=this.path.length;this.siblingStacks[n]||(this.siblingStacks[n]=new Map);const s=this.siblingStacks[n],r=i?`${i}:${t}`:t,o=s.get(r)||0;let a=0;for(const t of s.values())a+=t;s.set(r,o+1);const h={tag:t,position:a,counter:o};null!=i&&(h.namespace=i),null!=e&&(h.values=e),this.path.push(h)}pop(){if(0===this.path.length)return;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0===this.path.length)return;const e=this.path[this.path.length-1];return e.values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const i=t||this.separator;return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(i)}toArray(){return this.path.map(t=>t.tag)}reset(){this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e=0&&e>=0;){const n=t[i];if("deep-wildcard"===n.type){if(i--,i<0)return!0;const n=t[i];let s=!1;for(let t=e;t>=0;t--){const r=t===this.path.length-1;if(this._matchSegment(n,this.path[t],r)){e=t-1,i--,s=!0;break}}if(!s)return!1}else{const t=e===this.path.length-1;if(!this._matchSegment(n,this.path[e],t))return!1;e--,i--}}return i<0}_matchSegment(t,e,i){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!i)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue){const i=e.values[t.attrName];if(String(i)!==String(t.attrValue))return!1}}if(void 0!==t.position){if(!i)return!1;const n=e.counter??0;if("first"===t.position&&0!==n)return!1;if("odd"===t.position&&n%2!=1)return!1;if("even"===t.position&&n%2!=0)return!1;if("nth"===t.position&&n!==t.positionValue)return!1}return!0}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return new Proxy(this,{get(t,e,i){if(L.has(e))return()=>{throw new TypeError(`Cannot call '${e}' on a read-only Matcher. Obtain a writable instance to mutate state.`)};const n=Reflect.get(t,e,i);return"path"===e||"siblingStacks"===e?Object.freeze(Array.isArray(n)?n.map(t=>t instanceof Map?Object.freeze(new Map(t)):Object.freeze({...t})):n):"function"==typeof n?n.bind(t):n},set(t,e){throw new TypeError(`Cannot set property '${String(e)}' on a read-only Matcher.`)},deleteProperty(t,e){throw new TypeError(`Cannot delete property '${String(e)}' from a read-only Matcher.`)}})}}class R{constructor(t,e={}){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let i=0,n="";for(;i0){const i=t.substring(0,e);if("xmlns"!==i)return i}}class W{constructor(t){var e;if(this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.docTypeEntities={},this.lastEntities={apos:{regex:/&(apos|#39|#x27);/g,val:"'"},gt:{regex:/&(gt|#62|#x3E);/g,val:">"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:(t,e)=>rt(e,10,"&#")},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:(t,e)=>rt(e,16,"&#x")}},this.addExternalEntities=Y,this.parseXml=J,this.parseTextData=z,this.resolveNameSpace=X,this.buildAttributesMap=Z,this.isItStopNode=tt,this.replaceEntitiesValue=Q,this.readStopNodeData=nt,this.saveTextToParentTag=H,this.addChild=K,this.ignoreAttributesFn="function"==typeof(e=this.options.ignoreAttributes)?e:Array.isArray(e)?t=>{for(const i of e){if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:()=>!1,this.entityExpansionCount=0,this.currentExpandedLength=0,this.matcher=new G,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.options.stopNodes&&this.options.stopNodes.length>0){this.stopNodeExpressions=[];for(let t=0;t0)){o||(t=this.replaceEntitiesValue(t,e,i));const n=this.options.jPath?i.toString():i,a=this.options.tagValueProcessor(e,t,n,s,r);return null==a?t:typeof a!=typeof t||a!==t?a:this.options.trimValues||t.trim()===t?st(t,this.options.parseTagValue,this.options.numberParseOptions):t}}function X(t){if(this.options.removeNSPrefix){const e=t.split(":"),i="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=i+e[1])}return t}const q=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function Z(t,e,i){if(!0!==this.options.ignoreAttributes&&"string"==typeof t){const n=s(t,q),r=n.length,o={},a={};for(let t=0;t0&&"object"==typeof e&&e.updateCurrent&&e.updateCurrent(a);for(let t=0;t",r,"Closing Tag is not closed.");let s=t.substring(r+2,e).trim();if(this.options.removeNSPrefix){const t=s.indexOf(":");-1!==t&&(s=s.substr(t+1))}s=ot(this.options.transformTagName,s,"",this.options).tagName,i&&(n=this.saveTextToParentTag(n,i,this.readonlyMatcher));const o=this.matcher.getCurrentTag();if(s&&-1!==this.options.unpairedTags.indexOf(s))throw new Error(`Unpaired tag can not be used as closing tag: `);o&&-1!==this.options.unpairedTags.indexOf(o)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,i=this.tagsNodeStack.pop(),n="",r=e}else if("?"===t[r+1]){let e=it(t,r,!1,"?>");if(!e)throw new Error("Pi Tag is not closed.");if(n=this.saveTextToParentTag(n,i,this.readonlyMatcher),this.options.ignoreDeclaration&&"?xml"===e.tagName||this.options.ignorePiTags);else{const t=new $(e.tagName);t.add(this.options.textNodeName,""),e.tagName!==e.tagExp&&e.attrExpPresent&&(t[":@"]=this.buildAttributesMap(e.tagExp,this.matcher,e.tagName)),this.addChild(i,t,this.readonlyMatcher,r)}r=e.closeIndex+1}else if("!--"===t.substr(r+1,3)){const e=et(t,"--\x3e",r+4,"Comment is not closed.");if(this.options.commentPropName){const s=t.substring(r+4,e-2);n=this.saveTextToParentTag(n,i,this.readonlyMatcher),i.add(this.options.commentPropName,[{[this.options.textNodeName]:s}])}r=e}else if("!D"===t.substr(r+1,2)){const e=s.readDocType(t,r);this.docTypeEntities=e.entities,r=e.i}else if("!["===t.substr(r+1,2)){const e=et(t,"]]>",r,"CDATA is not closed.")-2,s=t.substring(r+9,e);n=this.saveTextToParentTag(n,i,this.readonlyMatcher);let o=this.parseTextData(s,i.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==o&&(o=""),this.options.cdataPropName?i.add(this.options.cdataPropName,[{[this.options.textNodeName]:s}]):i.add(this.options.textNodeName,o),r=e+2}else{let s=it(t,r,this.options.removeNSPrefix);if(!s){const e=t.substring(Math.max(0,r-50),Math.min(t.length,r+50));throw new Error(`readTagExp returned undefined at position ${r}. Context: "${e}"`)}let o=s.tagName;const a=s.rawTagName;let h=s.tagExp,l=s.attrExpPresent,p=s.closeIndex;if(({tagName:o,tagExp:h}=ot(this.options.transformTagName,o,h,this.options)),this.options.strictReservedNames&&(o===this.options.commentPropName||o===this.options.cdataPropName||o===this.options.textNodeName||o===this.options.attributesGroupName))throw new Error(`Invalid tag name: ${o}`);i&&n&&"!xml"!==i.tagname&&(n=this.saveTextToParentTag(n,i,this.readonlyMatcher,!1));const u=i;u&&-1!==this.options.unpairedTags.indexOf(u.tagname)&&(i=this.tagsNodeStack.pop(),this.matcher.pop());let c=!1;h.length>0&&h.lastIndexOf("/")===h.length-1&&(c=!0,"/"===o[o.length-1]?(o=o.substr(0,o.length-1),h=o):h=h.substr(0,h.length-1),l=o!==h);let d,f=null,g={};d=B(a),o!==e.tagname&&this.matcher.push(o,{},d),o!==h&&l&&(f=this.buildAttributesMap(h,this.matcher,o),f&&(g=U(f,this.options))),o!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode(this.stopNodeExpressions,this.matcher));const m=r;if(this.isCurrentNodeStopNode){let e="";if(c)r=s.closeIndex;else if(-1!==this.options.unpairedTags.indexOf(o))r=s.closeIndex;else{const i=this.readStopNodeData(t,a,p+1);if(!i)throw new Error(`Unexpected end of ${a}`);r=i.i,e=i.tagContent}const n=new $(o);f&&(n[":@"]=f),n.add(this.options.textNodeName,e),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(i,n,this.readonlyMatcher,m)}else{if(c){({tagName:o,tagExp:h}=ot(this.options.transformTagName,o,h,this.options));const t=new $(o);f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(-1!==this.options.unpairedTags.indexOf(o)){const t=new $(o);f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),this.matcher.pop(),this.isCurrentNodeStopNode=!1,r=s.closeIndex;continue}{const t=new $(o);if(this.tagsNodeStack.length>this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(i),f&&(t[":@"]=f),this.addChild(i,t,this.readonlyMatcher,m),i=t}}n="",r=p}}else n+=t[r];return e.child};function K(t,e,i,n){this.options.captureMetaData||(n=void 0);const s=this.options.jPath?i.toString():i,r=this.options.updateTag(e.tagname,s,e[":@"]);!1===r||("string"==typeof r?(e.tagname=r,t.addChild(e,n)):t.addChild(e,n))}function Q(t,e,i){const n=this.options.processEntities;if(!n||!n.enabled)return t;if(n.allowedTags){const s=this.options.jPath?i.toString():i;if(!(Array.isArray(n.allowedTags)?n.allowedTags.includes(e):n.allowedTags(e,s)))return t}if(n.tagFilter){const s=this.options.jPath?i.toString():i;if(!n.tagFilter(e,s))return t}for(const e of Object.keys(this.docTypeEntities)){const i=this.docTypeEntities[e],s=t.match(i.regx);if(s){if(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions)throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);const e=t.length;if(t=t.replace(i.regx,i.val),n.maxExpandedLength&&(this.currentExpandedLength+=t.length-e,this.currentExpandedLength>n.maxExpandedLength))throw new Error(`Total expanded content size exceeded: ${this.currentExpandedLength} > ${n.maxExpandedLength}`)}}for(const e of Object.keys(this.lastEntities)){const i=this.lastEntities[e],s=t.match(i.regex);if(s&&(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions))throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);t=t.replace(i.regex,i.val)}if(-1===t.indexOf("&"))return t;if(this.options.htmlEntities)for(const e of Object.keys(this.htmlEntities)){const i=this.htmlEntities[e],s=t.match(i.regex);if(s&&(this.entityExpansionCount+=s.length,n.maxTotalExpansions&&this.entityExpansionCount>n.maxTotalExpansions))throw new Error(`Entity expansion limit exceeded: ${this.entityExpansionCount} > ${n.maxTotalExpansions}`);t=t.replace(i.regex,i.val)}return t.replace(this.ampEntity.regex,this.ampEntity.val)}function H(t,e,i,n){return t&&(void 0===n&&(n=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,i,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,n))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function tt(t,e){if(!t||0===t.length)return!1;for(let i=0;i"){let n,s="";for(let r=e;r",i,`${e} is not closed`);if(t.substring(i+2,r).trim()===e&&(s--,0===s))return{tagContent:t.substring(n,i),i:r};i=r}else if("?"===t[i+1])i=et(t,"?>",i+1,"StopNode is not closed.");else if("!--"===t.substr(i+1,3))i=et(t,"--\x3e",i+3,"StopNode is not closed.");else if("!["===t.substr(i+1,2))i=et(t,"]]>",i,"StopNode is not closed.")-2;else{const n=it(t,i,">");n&&((n&&n.tagName)===e&&"/"!==n.tagExp[n.tagExp.length-1]&&s++,i=n.closeIndex)}}function st(t,e,i){if(e&&"string"==typeof t){const e=t.trim();return"true"===e||"false"!==e&&function(t,e={}){if(e=Object.assign({},k,e),!t||"string"!=typeof t)return t;let i=t.trim();if(void 0!==e.skipLike&&e.skipLike.test(i))return t;if("0"===t)return 0;if(e.hex&&D.test(i))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(i);if(isFinite(i)){if(i.includes("e")||i.includes("E"))return function(t,e,i){if(!i.eNotation)return t;const n=e.match(F);if(n){let s=n[1]||"";const r=-1===n[3].indexOf("e")?"E":"e",o=n[2],a=s?t[o.length+1]===r:t[o.length]===r;return o.length>1&&a?t:(1!==o.length||!n[3].startsWith(`.${r}`)&&n[3][0]!==r)&&o.length>0?i.leadingZeros&&!a?(e=(n[1]||"")+n[3],Number(e)):t:Number(e)}return t}(t,i,e);{const s=V.exec(i);if(s){const r=s[1]||"",o=s[2];let a=(n=s[3])&&-1!==n.indexOf(".")?("."===(n=n.replace(/0+$/,""))?n="0":"."===n[0]?n="0"+n:"."===n[n.length-1]&&(n=n.substring(0,n.length-1)),n):n;const h=r?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!h))return t;{const n=Number(i),s=String(n);if(0===n)return n;if(-1!==s.search(/[eE]/))return e.eNotation?n:t;if(-1!==i.indexOf("."))return"0"===s||s===a||s===`${r}${a}`?n:t;let h=o?a:i;return o?h===s||r+h===s?n:t:h===s||h===r+s?n:t}}return t}}var n;return function(t,e,i){const n=e===1/0;switch(i.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return n?"Infinity":"-Infinity";default:return t}}(t,Number(i),e)}(t,i)}return void 0!==t?t:""}function rt(t,e,i){const n=Number.parseInt(t,e);return n>=0&&n<=1114111?String.fromCodePoint(n):i+t+";"}function ot(t,e,i,n){if(t){const n=t(e);i===e&&(i=n),e=n}return{tagName:e=at(e,n),tagExp:i}}function at(t,e){if(a.includes(t))throw new Error(`[SECURITY] Invalid name: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);return o.includes(t)?e.onDangerousProperty(t):t}const ht=$.getMetaDataSymbol();function lt(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;const i={};for(const n in t)n.startsWith(e)?i[n.substring(e.length)]=t[n]:i[n]=t[n];return i}function pt(t,e,i,n){return ut(t,e,i,n)}function ut(t,e,i,n){let s;const r={};for(let o=0;o0&&(r[e.textNodeName]=s):void 0!==s&&(r[e.textNodeName]=s),r}function ct(t){const e=Object.keys(t);for(let t=0;t0&&(i="\n");const n=[];if(e.stopNodes&&Array.isArray(e.stopNodes))for(let t=0;te.maxNestedTags)throw new Error("Maximum nested tags exceeded");if(!Array.isArray(t)){if(null!=t){let i=t.toString();return i=Tt(i,e),i}return""}for(let a=0;a`,o=!1,n.pop();continue}if(l===e.commentPropName){r+=i+`\x3c!--${h[l][0][e.textNodeName]}--\x3e`,o=!0,n.pop();continue}if("?"===l[0]){const t=wt(h[":@"],e,u),s="?xml"===l?"":i;let a=h[l][0][e.textNodeName];a=0!==a.length?" "+a:"",r+=s+`<${l}${a}${t}?>`,o=!0,n.pop();continue}let c=i;""!==c&&(c+=e.indentBy);const d=i+`<${l}${wt(h[":@"],e,u)}`;let f;f=u?bt(h[l],e):xt(h[l],e,c,n,s),-1!==e.unpairedTags.indexOf(l)?e.suppressUnpairedNode?r+=d+">":r+=d+"/>":f&&0!==f.length||!e.suppressEmptyNode?f&&f.endsWith(">")?r+=d+`>${f}${i}`:(r+=d+">",f&&""!==i&&(f.includes("/>")||f.includes("`):r+=d+"/>",o=!0,n.pop()}return r}function Nt(t,e){if(!t||e.ignoreAttributes)return null;const i={};let n=!1;for(let s in t)Object.prototype.hasOwnProperty.call(t,s)&&(i[s.startsWith(e.attributeNamePrefix)?s.substr(e.attributeNamePrefix.length):s]=t[s],n=!0);return n?i:null}function bt(t,e){if(!Array.isArray(t))return null!=t?t.toString():"";let i="";for(let n=0;n${n}`:i+=`<${r}${t}/>`}}}return i}function Et(t,e){let i="";if(t&&!e.ignoreAttributes)for(let n in t){if(!Object.prototype.hasOwnProperty.call(t,n))continue;let s=t[n];!0===s&&e.suppressBooleanAttributes?i+=` ${n.substr(e.attributeNamePrefix.length)}`:i+=` ${n.substr(e.attributeNamePrefix.length)}="${s}"`}return i}function yt(t){const e=Object.keys(t);for(let i=0;i0&&e.processEntities)for(let i=0;i","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1,maxNestedTags:100,jPath:!0};function St(t){if(this.options=Object.assign({},Pt,t),this.options.stopNodes&&Array.isArray(this.options.stopNodes)&&(this.options.stopNodes=this.options.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),this.stopNodeExpressions=[],this.options.stopNodes&&Array.isArray(this.options.stopNodes))for(let t=0;t{for(const i of e){if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:()=>!1,this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=Ct),this.processTextOrObjNode=At,this.options.format?(this.indentate=Ot,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function At(t,e,i,n){const s=this.extractAttributes(t);if(n.push(e,s),this.checkStopNode(n)){const s=this.buildRawContent(t),r=this.buildAttributesForStopNode(t);return n.pop(),this.buildObjectNode(s,e,r,i)}const r=this.j2x(t,i+1,n);return n.pop(),void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,r.attrStr,i,n):this.buildObjectNode(r.val,e,r.attrStr,i)}function Ot(t){return this.options.indentBy.repeat(t)}function Ct(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}St.prototype.build=function(t){if(this.options.preserveOrder)return mt(t,this.options);{Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&(t={[this.options.arrayNodeName]:t});const e=new G;return this.j2x(t,0,e).val}},St.prototype.j2x=function(t,e,i){let n="",s="";if(this.options.maxNestedTags&&i.getDepth()>=this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");const r=this.options.jPath?i.toString():i,o=this.checkStopNode(i);for(let a in t)if(Object.prototype.hasOwnProperty.call(t,a))if(void 0===t[a])this.isAttribute(a)&&(s+="");else if(null===t[a])this.isAttribute(a)||a===this.options.cdataPropName?s+="":"?"===a[0]?s+=this.indentate(e)+"<"+a+"?"+this.tagEndChar:s+=this.indentate(e)+"<"+a+"/"+this.tagEndChar;else if(t[a]instanceof Date)s+=this.buildTextValNode(t[a],a,"",e,i);else if("object"!=typeof t[a]){const h=this.isAttribute(a);if(h&&!this.ignoreAttributesFn(h,r))n+=this.buildAttrPairStr(h,""+t[a],o);else if(!h)if(a===this.options.textNodeName){let e=this.options.tagValueProcessor(a,""+t[a]);s+=this.replaceEntitiesValue(e)}else{i.push(a);const n=this.checkStopNode(i);if(i.pop(),n){const i=""+t[a];s+=""===i?this.indentate(e)+"<"+a+this.closeTag(a)+this.tagEndChar:this.indentate(e)+"<"+a+">"+i+""+t+"${t}`;else if("object"==typeof t&&null!==t){const n=this.buildRawContent(t),s=this.buildAttributesForStopNode(t);e+=""===n?`<${i}${s}/>`:`<${i}${s}>${n}`}}else if("object"==typeof n&&null!==n){const t=this.buildRawContent(n),s=this.buildAttributesForStopNode(n);e+=""===t?`<${i}${s}/>`:`<${i}${s}>${t}`}else e+=`<${i}>${n}`}return e},St.prototype.buildAttributesForStopNode=function(t){if(!t||"object"!=typeof t)return"";let e="";if(this.options.attributesGroupName&&t[this.options.attributesGroupName]){const i=t[this.options.attributesGroupName];for(let t in i){if(!Object.prototype.hasOwnProperty.call(i,t))continue;const n=t.startsWith(this.options.attributeNamePrefix)?t.substring(this.options.attributeNamePrefix.length):t,s=i[t];!0===s&&this.options.suppressBooleanAttributes?e+=" "+n:e+=" "+n+'="'+s+'"'}}else for(let i in t){if(!Object.prototype.hasOwnProperty.call(t,i))continue;const n=this.isAttribute(i);if(n){const s=t[i];!0===s&&this.options.suppressBooleanAttributes?e+=" "+n:e+=" "+n+'="'+s+'"'}}return e},St.prototype.buildObjectNode=function(t,e,i,n){if(""===t)return"?"===e[0]?this.indentate(n)+"<"+e+i+"?"+this.tagEndChar:this.indentate(n)+"<"+e+i+this.closeTag(e)+this.tagEndChar;{let s=""+t+s}},St.prototype.closeTag=function(t){let e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":`>`+this.newLine;if(!1!==this.options.commentPropName&&e===this.options.commentPropName)return this.indentate(n)+`\x3c!--${t}--\x3e`+this.newLine;if("?"===e[0])return this.indentate(n)+"<"+e+i+"?"+this.tagEndChar;{let s=this.options.tagValueProcessor(e,t);return s=this.replaceEntitiesValue(s),""===s?this.indentate(n)+"<"+e+i+this.closeTag(e)+this.tagEndChar:this.indentate(n)+"<"+e+i+">"+s+"0&&this.options.processEntities)for(let e=0;e{"use strict";var t={d:(e,n)=>{for(var i in n)t.o(n,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:n[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>Bt,XMLParser:()=>Tt,XMLValidator:()=>Ut});const n=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+n+"]["+n+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function s(t,e){const n=[];let i=e.exec(t);for(;i;){const s=[];s.startIndex=e.lastIndex-i[0].length;const r=i.length;for(let t=0;t"!==t[r]&&" "!==t[r]&&"\t"!==t[r]&&"\n"!==t[r]&&"\r"!==t[r];r++)h+=t[r];if(h=h.trim(),"/"===h[h.length-1]&&(h=h.substring(0,h.length-1),r--),!E(h)){let e;return e=0===h.trim().length?"Invalid space after '<'.":"Tag '"+h+"' is an invalid name.",b("InvalidTag",e,w(t,r))}const l=g(t,r);if(!1===l)return b("InvalidAttr","Attributes for '"+h+"' have open quote.",w(t,r));let d=l.value;if(r=l.index,"/"===d[d.length-1]){const n=r-d.length;d=d.substring(0,d.length-1);const s=x(d,e);if(!0!==s)return b(s.err.code,s.err.msg,w(t,n+s.err.line));i=!0}else if(a){if(!l.tagClosed)return b("InvalidTag","Closing tag '"+h+"' doesn't have proper closing.",w(t,r));if(d.trim().length>0)return b("InvalidTag","Closing tag '"+h+"' can't have attributes or invalid starting.",w(t,o));if(0===n.length)return b("InvalidTag","Closing tag '"+h+"' has not been opened.",w(t,o));{const e=n.pop();if(h!==e.tagName){let n=w(t,e.tagStartPos);return b("InvalidTag","Expected closing tag '"+e.tagName+"' (opened in line "+n.line+", col "+n.col+") instead of closing tag '"+h+"'.",w(t,o))}0==n.length&&(s=!0)}}else{const a=x(d,e);if(!0!==a)return b(a.err.code,a.err.msg,w(t,r-d.length+a.err.line));if(!0===s)return b("InvalidXml","Multiple possible root nodes found.",w(t,r));-1!==e.unpairedTags.indexOf(h)||n.push({tagName:h,tagStartPos:o}),i=!0}for(r++;r0)||b("InvalidXml","Invalid '"+JSON.stringify(n.map(t=>t.tagName),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):b("InvalidXml","Start tag expected.",1)}function u(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function p(t,e){const n=e;for(;e5&&"xml"===i)return b("InvalidXml","XML declaration allowed only at the start of the document.",w(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}continue}return e}function c(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){let n=1;for(e+=8;e"===t[e]&&(n--,0===n))break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}const d='"',f="'";function g(t,e){let n="",i="",s=!1;for(;e"===t[e]&&""===i){s=!0;break}n+=t[e]}return""===i&&{value:n,index:e,tagClosed:s}}const m=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function x(t,e){const n=s(t,m),i={};for(let t=0;to.includes(t)?"__"+t:t,_={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:()=>!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,entityDecoder:null,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,n){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:S};function A(t,e){if("string"!=typeof t)return;const n=t.toLowerCase();if(o.some(t=>n===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);if(a.some(t=>n===t.toLowerCase()))throw new Error(`[SECURITY] Invalid ${e}: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`)}function T(t,e){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:1e4,maxTotalExpansions:1/0,maxExpandedLength:1e5,maxEntityCount:1e3,allowedTags:null,tagFilter:null,appliesTo:"all"}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,t.maxEntitySize??1e4),maxExpansionDepth:Math.max(1,t.maxExpansionDepth??1e4),maxTotalExpansions:Math.max(1,t.maxTotalExpansions??1/0),maxExpandedLength:Math.max(1,t.maxExpandedLength??1e5),maxEntityCount:Math.max(1,t.maxEntityCount??1e3),allowedTags:t.allowedTags??null,tagFilter:t.tagFilter??null,appliesTo:t.appliesTo??"all"}:T(!0)}const C=function(t){const e=Object.assign({},_,t),n=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];for(const{value:t,name:e}of n)t&&A(t,e);return null===e.onDangerousProperty&&(e.onDangerousProperty=S),e.processEntities=T(e.processEntities,e.htmlEntities),e.unpairedTagsSet=new Set(e.unpairedTags),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),e};let P;P="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");class O{constructor(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}add(t,e){"__proto__"===t&&(t="#__proto__"),this.child.push({[t]:e})}addChild(t,e){"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push({[t.tagname]:t.child,":@":t[":@"]}):this.child.push({[t.tagname]:t.child}),void 0!==e&&(this.child[this.child.length-1][P]={startIndex:e})}static getMetaDataSymbol(){return P}}class ${constructor(t){this.suppressValidationErr=!t,this.options=t}readDocType(t,e){const n=Object.create(null);let i=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");{e+=9;let s=1,r=!1,o=!1,a="";for(;e"===t[e]){if(o?"-"===t[e-1]&&"-"===t[e-2]&&(o=!1,s--):s--,0===s)break}else"["===t[e]?r=!0:a+=t[e];else{if(r&&D(t,"!ENTITY",e)){let s,r;if(e+=7,[s,r,e]=this.readEntityExp(t,e+1,this.suppressValidationErr),-1===r.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&i>=this.options.maxEntityCount)throw new Error(`Entity count (${i+1}) exceeds maximum allowed (${this.options.maxEntityCount})`);n[s]=r,i++}}else if(r&&D(t,"!ELEMENT",e)){e+=8;const{index:n}=this.readElementExp(t,e+1);e=n}else if(r&&D(t,"!ATTLIST",e))e+=8;else if(r&&D(t,"!NOTATION",e)){e+=9;const{index:n}=this.readNotationExp(t,e+1,this.suppressValidationErr);e=n}else{if(!D(t,"!--",e))throw new Error("Invalid DOCTYPE");o=!0}s++,a=""}if(0!==s)throw new Error("Unclosed DOCTYPE")}return{entities:n,i:e}}readEntityExp(t,e){const n=e=I(t,e);for(;ethis.options.maxEntitySize)throw new Error(`Entity "${i}" size (${s.length}) exceeds maximum allowed size (${this.options.maxEntitySize})`);return[i,s,--e]}readNotationExp(t,e){const n=e=I(t,e);for(;e{for(;e0?t[t.length-1].tag:void 0}getCurrentNamespace(){const t=this._matcher.path;return t.length>0?t[t.length-1].namespace:void 0}getAttrValue(t){const e=this._matcher.path;if(0!==e.length)return e[e.length-1].values?.[t]}hasAttr(t){const e=this._matcher.path;if(0===e.length)return!1;const n=e[e.length-1];return void 0!==n.values&&t in n.values}getPosition(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].position??0}getCounter(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this._matcher.path.length}toString(t,e=!0){return this._matcher.toString(t,e)}toArray(){return this._matcher.path.map(t=>t.tag)}matches(t){return this._matcher.matches(t)}matchesAny(t){return t.matchesAny(this._matcher)}}class R{constructor(t={}){this.separator=t.separator||".",this.path=[],this.siblingStacks=[],this._pathStringCache=null,this._view=new F(this)}push(t,e=null,n=null){this._pathStringCache=null,this.path.length>0&&(this.path[this.path.length-1].values=void 0);const i=this.path.length;this.siblingStacks[i]||(this.siblingStacks[i]=new Map);const s=this.siblingStacks[i],r=n?`${n}:${t}`:t,o=s.get(r)||0;let a=0;for(const t of s.values())a+=t;s.set(r,o+1);const h={tag:t,position:a,counter:o};null!=n&&(h.namespace=n),null!=e&&(h.values=e),this.path.push(h)}pop(){if(0===this.path.length)return;this._pathStringCache=null;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0!==this.path.length)return this.path[this.path.length-1].values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const n=t||this.separator;if(n===this.separator&&!0===e){if(null!==this._pathStringCache)return this._pathStringCache;const t=this.path.map(t=>t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(n);return this._pathStringCache=t,t}return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(n)}toArray(){return this.path.map(t=>t.tag)}reset(){this._pathStringCache=null,this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e=0&&e>=0;){const i=t[n];if("deep-wildcard"===i.type){if(n--,n<0)return!0;const i=t[n];let s=!1;for(let t=e;t>=0;t--)if(this._matchSegment(i,this.path[t],t===this.path.length-1)){e=t-1,n--,s=!0;break}if(!s)return!1}else{if(!this._matchSegment(i,this.path[e],e===this.path.length-1))return!1;e--,n--}}return n<0}_matchSegment(t,e,n){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!n)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue&&String(e.values[t.attrName])!==String(t.attrValue))return!1}if(void 0!==t.position){if(!n)return!1;const i=e.counter??0;if("first"===t.position&&0!==i)return!1;if("odd"===t.position&&i%2!=1)return!1;if("even"===t.position&&i%2!=0)return!1;if("nth"===t.position&&i!==t.positionValue)return!1}return!0}matchesAny(t){return t.matchesAny(this)}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this._pathStringCache=null,this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return this._view}}class G{constructor(t,e={},n){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this.data=n,this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let n=0,i="";for(;n",lt:"<",quot:'"'},X={nbsp:" ",copy:"©",reg:"®",trade:"™",mdash:"—",ndash:"–",hellip:"…",laquo:"«",raquo:"»",lsquo:"‘",rsquo:"’",ldquo:"“",rdquo:"”",bull:"•",para:"¶",sect:"§",deg:"°",frac12:"½",frac14:"¼",frac34:"¾"},Y=new Set("!?\\\\/[]$%{}^&*()<>|+");function z(t){if("#"===t[0])throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${t}"`);for(const e of t)if(Y.has(e))throw new Error(`[EntityReplacer] Invalid character '${e}' in entity name: "${t}"`);return t}function q(...t){const e=Object.create(null);for(const n of t)if(n)for(const t of Object.keys(n)){const i=n[t];if("string"==typeof i)e[t]=i;else if(i&&"object"==typeof i&&void 0!==i.val){const n=i.val;"string"==typeof n&&(e[t]=n)}}return e}const Z="external",J="base",K="all",Q=Object.freeze({allow:0,leave:1,remove:2,throw:3}),H=new Set([9,10,13]);class tt{constructor(t={}){var e;this._limit=t.limit||{},this._maxTotalExpansions=this._limit.maxTotalExpansions||0,this._maxExpandedLength=this._limit.maxExpandedLength||0,this._postCheck="function"==typeof t.postCheck?t.postCheck:t=>t,this._limitTiers=(e=this._limit.applyLimitsTo??Z)&&e!==Z?e===K?new Set([K]):e===J?new Set([J]):Array.isArray(e)?new Set(e):new Set([Z]):new Set([Z]),this._numericAllowed=t.numericAllowed??!0,this._baseMap=q(W,t.namedEntities||null),this._externalMap=Object.create(null),this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this._removeSet=new Set(t.remove&&Array.isArray(t.remove)?t.remove:[]),this._leaveSet=new Set(t.leave&&Array.isArray(t.leave)?t.leave:[]);const n=function(t){if(!t)return{xmlVersion:1,onLevel:Q.allow,nullLevel:Q.remove};const e=1.1===t.xmlVersion?1.1:1,n=Q[t.onNCR]??Q.allow,i=Q[t.nullNCR]??Q.remove;return{xmlVersion:e,onLevel:n,nullLevel:Math.max(i,Q.remove)}}(t.ncr);this._ncrXmlVersion=n.xmlVersion,this._ncrOnLevel=n.onLevel,this._ncrNullLevel=n.nullLevel}setExternalEntities(t){if(t)for(const e of Object.keys(t))z(e);this._externalMap=q(t)}addExternalEntity(t,e){z(t),"string"==typeof e&&-1===e.indexOf("&")&&(this._externalMap[t]=e)}addInputEntities(t){this._totalExpansions=0,this._expandedLength=0,this._inputMap=q(t)}reset(){return this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this}setXmlVersion(t){this._ncrXmlVersion=1.1===t?1.1:1}decode(t){if("string"!=typeof t||0===t.length)return t;const e=t,n=[],i=t.length;let s=0,r=0;const o=this._maxTotalExpansions>0,a=this._maxExpandedLength>0,h=o||a;for(;r=i||59!==t.charCodeAt(e)){r++;continue}const l=t.slice(r+1,e);if(0===l.length){r++;continue}let u,p;if(this._removeSet.has(l))u="",void 0===p&&(p=Z);else{if(this._leaveSet.has(l)){r++;continue}if(35===l.charCodeAt(0)){const t=this._resolveNCR(l);if(void 0===t){r++;continue}u=t,p=J}else{const t=this._resolveName(l);u=t?.value,p=t?.tier}}if(void 0!==u){if(r>s&&n.push(t.slice(s,r)),n.push(u),s=e+1,r=s,h&&this._tierCounts(p)){if(o&&(this._totalExpansions++,this._totalExpansions>this._maxTotalExpansions))throw new Error(`[EntityReplacer] Entity expansion count limit exceeded: ${this._totalExpansions} > ${this._maxTotalExpansions}`);if(a){const t=u.length-(l.length+2);if(t>0&&(this._expandedLength+=t,this._expandedLength>this._maxExpandedLength))throw new Error(`[EntityReplacer] Expanded content length limit exceeded: ${this._expandedLength} > ${this._maxExpandedLength}`)}}}else r++}s=55296&&t<=57343||1===this._ncrXmlVersion&&t>=1&&t<=31&&!H.has(t)?Q.remove:-1}_applyNCRAction(t,e,n){switch(t){case Q.allow:return String.fromCodePoint(n);case Q.remove:return"";case Q.leave:return;case Q.throw:throw new Error(`[EntityDecoder] Prohibited numeric character reference &${e}; (U+${n.toString(16).toUpperCase().padStart(4,"0")})`);default:return String.fromCodePoint(n)}}_resolveNCR(t){const e=t.charCodeAt(1);let n;if(n=120===e||88===e?parseInt(t.slice(2),16):parseInt(t.slice(1),10),Number.isNaN(n)||n<0||n>1114111)return;const i=this._classifyNCR(n);if(!this._numericAllowed&&i0){const n=t.substring(0,e);if("xmlns"!==n)return n}}class it{constructor(t,e){var n;this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.parseXml=ht,this.parseTextData=st,this.resolveNameSpace=rt,this.buildAttributesMap=at,this.isItStopNode=ct,this.replaceEntitiesValue=ut,this.readStopNodeData=mt,this.saveTextToParentTag=pt,this.addChild=lt,this.ignoreAttributesFn="function"==typeof(n=this.options.ignoreAttributes)?n:Array.isArray(n)?t=>{for(const e of n){if("string"==typeof e&&t===e)return!0;if(e instanceof RegExp&&e.test(t))return!0}}:()=>!1,this.entityExpansionCount=0,this.currentExpandedLength=0;let i={...W};this.options.entityDecoder?this.entityDecoder=this.options.entityDecoder:("object"==typeof this.options.htmlEntities?i=this.options.htmlEntities:!0===this.options.htmlEntities&&(i={...X,...U}),this.entityDecoder=new tt({namedEntities:{...i,...e},numericAllowed:this.options.htmlEntities,limit:{maxTotalExpansions:this.options.processEntities.maxTotalExpansions,maxExpandedLength:this.options.processEntities.maxExpandedLength,applyLimitsTo:this.options.processEntities.appliesTo}})),this.matcher=new R,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.stopNodeExpressionsSet=new B;const s=this.options.stopNodes;if(s&&s.length>0){for(let t=0;t0)){o||(t=this.replaceEntitiesValue(t,e,n));const i=a.jPath?n.toString():n,h=a.tagValueProcessor(e,t,i,s,r);return null==h?t:typeof h!=typeof t||h!==t?h:a.trimValues||t.trim()===t?xt(t,a.parseTagValue,a.numberParseOptions):t}}function rt(t){if(this.options.removeNSPrefix){const e=t.split(":"),n="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=n+e[1])}return t}const ot=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function at(t,e,n,i=!1){const r=this.options;if(!0===i||!0!==r.ignoreAttributes&&"string"==typeof t){const i=s(t,ot),o=i.length,a={},h=new Array(o);let l=!1;const u={};for(let t=0;t",a,"Closing Tag is not closed.");let r=t.substring(a+2,e).trim();if(s.removeNSPrefix){const t=r.indexOf(":");-1!==t&&(r=r.substr(t+1))}r=Nt(s.transformTagName,r,"",s).tagName,n&&(i=this.saveTextToParentTag(i,n,this.readonlyMatcher));const o=this.matcher.getCurrentTag();if(r&&s.unpairedTagsSet.has(r))throw new Error(`Unpaired tag can not be used as closing tag: `);o&&s.unpairedTagsSet.has(o)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,n=this.tagsNodeStack.pop(),i="",a=e}else if(63===h){let e=gt(t,a,!1,"?>");if(!e)throw new Error("Pi Tag is not closed.");i=this.saveTextToParentTag(i,n,this.readonlyMatcher);const r=this.buildAttributesMap(e.tagExp,this.matcher,e.tagName,!0);if(r){const t=r[this.options.attributeNamePrefix+"version"];this.entityDecoder.setXmlVersion(Number(t)||1)}if(s.ignoreDeclaration&&"?xml"===e.tagName||s.ignorePiTags);else{const t=new O(e.tagName);t.add(s.textNodeName,""),e.tagName!==e.tagExp&&e.attrExpPresent&&!0!==s.ignoreAttributes&&(t[":@"]=r),this.addChild(n,t,this.readonlyMatcher,a)}a=e.closeIndex+1}else if(33===h&&45===t.charCodeAt(a+2)&&45===t.charCodeAt(a+3)){const e=dt(t,"--\x3e",a+4,"Comment is not closed.");if(s.commentPropName){const r=t.substring(a+4,e-2);i=this.saveTextToParentTag(i,n,this.readonlyMatcher),n.add(s.commentPropName,[{[s.textNodeName]:r}])}a=e}else if(33===h&&68===t.charCodeAt(a+2)){const e=r.readDocType(t,a);this.entityDecoder.addInputEntities(e.entities),a=e.i}else if(33===h&&91===t.charCodeAt(a+2)){const e=dt(t,"]]>",a,"CDATA is not closed.")-2,r=t.substring(a+9,e);i=this.saveTextToParentTag(i,n,this.readonlyMatcher);let o=this.parseTextData(r,n.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==o&&(o=""),s.cdataPropName?n.add(s.cdataPropName,[{[s.textNodeName]:r}]):n.add(s.textNodeName,o),a=e+2}else{let r=gt(t,a,s.removeNSPrefix);if(!r){const e=t.substring(Math.max(0,a-50),Math.min(o,a+50));throw new Error(`readTagExp returned undefined at position ${a}. Context: "${e}"`)}let h=r.tagName;const l=r.rawTagName;let u=r.tagExp,p=r.attrExpPresent,c=r.closeIndex;if(({tagName:h,tagExp:u}=Nt(s.transformTagName,h,u,s)),s.strictReservedNames&&(h===s.commentPropName||h===s.cdataPropName||h===s.textNodeName||h===s.attributesGroupName))throw new Error(`Invalid tag name: ${h}`);n&&i&&"!xml"!==n.tagname&&(i=this.saveTextToParentTag(i,n,this.readonlyMatcher,!1));const d=n;d&&s.unpairedTagsSet.has(d.tagname)&&(n=this.tagsNodeStack.pop(),this.matcher.pop());let f=!1;u.length>0&&u.lastIndexOf("/")===u.length-1&&(f=!0,"/"===h[h.length-1]?(h=h.substr(0,h.length-1),u=h):u=u.substr(0,u.length-1),p=h!==u);let g,m=null,x={};g=nt(l),h!==e.tagname&&this.matcher.push(h,{},g),h!==u&&p&&(m=this.buildAttributesMap(u,this.matcher,h),m&&(x=et(m,s))),h!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode());const N=a;if(this.isCurrentNodeStopNode){let e="";if(f)a=r.closeIndex;else if(s.unpairedTagsSet.has(h))a=r.closeIndex;else{const n=this.readStopNodeData(t,l,c+1);if(!n)throw new Error(`Unexpected end of ${l}`);a=n.i,e=n.tagContent}const i=new O(h);m&&(i[":@"]=m),i.add(s.textNodeName,e),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(n,i,this.readonlyMatcher,N)}else{if(f){({tagName:h,tagExp:u}=Nt(s.transformTagName,h,u,s));const t=new O(h);m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(s.unpairedTagsSet.has(h)){const t=new O(h);m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),this.matcher.pop(),this.isCurrentNodeStopNode=!1,a=r.closeIndex;continue}{const t=new O(h);if(this.tagsNodeStack.length>s.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(n),m&&(t[":@"]=m),this.addChild(n,t,this.readonlyMatcher,N),n=t}}i="",a=c}}}else i+=t[a];return e.child};function lt(t,e,n,i){this.options.captureMetaData||(i=void 0);const s=this.options.jPath?n.toString():n,r=this.options.updateTag(e.tagname,s,e[":@"]);!1===r||("string"==typeof r?(e.tagname=r,t.addChild(e,i)):t.addChild(e,i))}function ut(t,e,n){const i=this.options.processEntities;if(!i||!i.enabled)return t;if(i.allowedTags){const s=this.options.jPath?n.toString():n;if(!(Array.isArray(i.allowedTags)?i.allowedTags.includes(e):i.allowedTags(e,s)))return t}if(i.tagFilter){const s=this.options.jPath?n.toString():n;if(!i.tagFilter(e,s))return t}return this.entityDecoder.decode(t)}function pt(t,e,n,i){return t&&(void 0===i&&(i=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,n,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,i))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function ct(){return 0!==this.stopNodeExpressionsSet.size&&this.matcher.matchesAny(this.stopNodeExpressionsSet)}function dt(t,e,n,i){const s=t.indexOf(e,n);if(-1===s)throw new Error(i);return s+e.length-1}function ft(t,e,n,i){const s=t.indexOf(e,n);if(-1===s)throw new Error(i);return s}function gt(t,e,n,i=">"){const s=function(t,e,n=">"){let i=0;const s=t.length,r=n.charCodeAt(0),o=n.length>1?n.charCodeAt(1):-1;let a="",h=e;for(let n=e;n",n,`${e} is not closed`);if(t.substring(n+2,r).trim()===e&&(s--,0===s))return{tagContent:t.substring(i,n),i:r};n=r}else if(63===r)n=dt(t,"?>",n+1,"StopNode is not closed.");else if(33===r&&45===t.charCodeAt(n+2)&&45===t.charCodeAt(n+3))n=dt(t,"--\x3e",n+3,"StopNode is not closed.");else if(33===r&&91===t.charCodeAt(n+2))n=dt(t,"]]>",n,"StopNode is not closed.")-2;else{const i=gt(t,n,">");i&&((i&&i.tagName)===e&&"/"!==i.tagExp[i.tagExp.length-1]&&s++,n=i.closeIndex)}}}function xt(t,e,n){if(e&&"string"==typeof t){const e=t.trim();return"true"===e||"false"!==e&&function(t,e={}){if(e=Object.assign({},L,e),!t||"string"!=typeof t)return t;let n=t.trim();if(0===n.length)return t;if(void 0!==e.skipLike&&e.skipLike.test(n))return t;if("0"===n)return 0;if(e.hex&&j.test(n))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(n);if(isFinite(n)){if(n.includes("e")||n.includes("E"))return function(t,e,n){if(!n.eNotation)return t;const i=e.match(k);if(i){let s=i[1]||"";const r=-1===i[3].indexOf("e")?"E":"e",o=i[2],a=s?t[o.length+1]===r:t[o.length]===r;return o.length>1&&a?t:(1!==o.length||!i[3].startsWith(`.${r}`)&&i[3][0]!==r)&&o.length>0?n.leadingZeros&&!a?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,n,e);{const s=V.exec(n);if(s){const r=s[1]||"",o=s[2];let a=(i=s[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const h=r?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!h))return t;{const i=Number(n),s=String(i);if(0===i)return i;if(-1!==s.search(/[eE]/))return e.eNotation?i:t;if(-1!==n.indexOf("."))return"0"===s||s===a||s===`${r}${a}`?i:t;let h=o?a:n;return o?h===s||r+h===s?i:t:h===s||h===r+s?i:t}}return t}}var i;return function(t,e,n){const i=e===1/0;switch(n.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return i?"Infinity":"-Infinity";default:return t}}(t,Number(n),e)}(t,n)}return void 0!==t?t:""}function Nt(t,e,n,i){if(t){const i=t(e);n===e&&(n=i),e=i}return{tagName:e=bt(e,i),tagExp:n}}function bt(t,e){if(a.includes(t))throw new Error(`[SECURITY] Invalid name: "${t}" is a reserved JavaScript keyword that could cause prototype pollution`);return o.includes(t)?e.onDangerousProperty(t):t}const yt=O.getMetaDataSymbol();function Et(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;const n={};for(const i in t)i.startsWith(e)?n[i.substring(e.length)]=t[i]:n[i]=t[i];return n}function wt(t,e,n,i){return vt(t,e,n,i)}function vt(t,e,n,i){let s;const r={};for(let o=0;o0&&(r[e.textNodeName]=s):void 0!==s&&(r[e.textNodeName]=s),r}function St(t){const e=Object.keys(t);for(let t=0;t0&&(n="\n");const i=[];if(e.stopNodes&&Array.isArray(e.stopNodes))for(let t=0;te.maxNestedTags)throw new Error("Maximum nested tags exceeded");if(!Array.isArray(t)){if(null!=t){let n=t.toString();return n=Vt(n,e),n}return""}for(let a=0;a/g,"]]]]>")}]]>`,o=!1,i.pop();continue}if(l===e.commentPropName){const t=h[l][0][e.textNodeName];r+=n+`\x3c!--${String(t).replace(/--/g,"- -").replace(/-$/,"- ")}--\x3e`,o=!0,i.pop();continue}if("?"===l[0]){const t=Mt(h[":@"],e,p),s="?xml"===l?"":n;let a=h[l][0][e.textNodeName];a=0!==a.length?" "+a:"",r+=s+`<${l}${a}${t}?>`,o=!0,i.pop();continue}let c=n;""!==c&&(c+=e.indentBy);const d=n+`<${l}${Mt(h[":@"],e,p)}`;let f;f=p?$t(h[l],e):Pt(h[l],e,c,i,s),-1!==e.unpairedTags.indexOf(l)?e.suppressUnpairedNode?r+=d+">":r+=d+"/>":f&&0!==f.length||!e.suppressEmptyNode?f&&f.endsWith(">")?r+=d+`>${f}${n}`:(r+=d+">",f&&""!==n&&(f.includes("/>")||f.includes("`):r+=d+"/>",o=!0,i.pop()}return r}function Ot(t,e){if(!t||e.ignoreAttributes)return null;const n={};let i=!1;for(let s in t)Object.prototype.hasOwnProperty.call(t,s)&&(n[s.startsWith(e.attributeNamePrefix)?s.substr(e.attributeNamePrefix.length):s]=t[s],i=!0);return i?n:null}function $t(t,e){if(!Array.isArray(t))return null!=t?t.toString():"";let n="";for(let i=0;i${i}`:n+=`<${r}${t}/>`}}}return n}function It(t,e){let n="";if(t&&!e.ignoreAttributes)for(let i in t){if(!Object.prototype.hasOwnProperty.call(t,i))continue;let s=t[i];!0===s&&e.suppressBooleanAttributes?n+=` ${i.substr(e.attributeNamePrefix.length)}`:n+=` ${i.substr(e.attributeNamePrefix.length)}="${s}"`}return n}function Dt(t){const e=Object.keys(t);for(let n=0;n0&&e.processEntities)for(let n=0;n","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1,maxNestedTags:100,jPath:!0};function kt(t){if(this.options=Object.assign({},Lt,t),this.options.stopNodes&&Array.isArray(this.options.stopNodes)&&(this.options.stopNodes=this.options.stopNodes.map(t=>"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t)),this.stopNodeExpressions=[],this.options.stopNodes&&Array.isArray(this.options.stopNodes))for(let t=0;t{for(const n of e){if("string"==typeof n&&t===n)return!0;if(n instanceof RegExp&&n.test(t))return!0}}:()=>!1,this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=Gt),this.processTextOrObjNode=Ft,this.options.format?(this.indentate=Rt,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function Ft(t,e,n,i){const s=this.extractAttributes(t);if(i.push(e,s),this.checkStopNode(i)){const s=this.buildRawContent(t),r=this.buildAttributesForStopNode(t);return i.pop(),this.buildObjectNode(s,e,r,n)}const r=this.j2x(t,n+1,i);return i.pop(),void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,r.attrStr,n,i):this.buildObjectNode(r.val,e,r.attrStr,n)}function Rt(t){return this.options.indentBy.repeat(t)}function Gt(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}kt.prototype.build=function(t){if(this.options.preserveOrder)return Ct(t,this.options);{Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&(t={[this.options.arrayNodeName]:t});const e=new R;return this.j2x(t,0,e).val}},kt.prototype.j2x=function(t,e,n){let i="",s="";if(this.options.maxNestedTags&&n.getDepth()>=this.options.maxNestedTags)throw new Error("Maximum nested tags exceeded");const r=this.options.jPath?n.toString():n,o=this.checkStopNode(n);for(let a in t)if(Object.prototype.hasOwnProperty.call(t,a))if(void 0===t[a])this.isAttribute(a)&&(s+="");else if(null===t[a])this.isAttribute(a)||a===this.options.cdataPropName?s+="":"?"===a[0]?s+=this.indentate(e)+"<"+a+"?"+this.tagEndChar:s+=this.indentate(e)+"<"+a+"/"+this.tagEndChar;else if(t[a]instanceof Date)s+=this.buildTextValNode(t[a],a,"",e,n);else if("object"!=typeof t[a]){const h=this.isAttribute(a);if(h&&!this.ignoreAttributesFn(h,r))i+=this.buildAttrPairStr(h,""+t[a],o);else if(!h)if(a===this.options.textNodeName){let e=this.options.tagValueProcessor(a,""+t[a]);s+=this.replaceEntitiesValue(e)}else{n.push(a);const i=this.checkStopNode(n);if(n.pop(),i){const n=""+t[a];s+=""===n?this.indentate(e)+"<"+a+this.closeTag(a)+this.tagEndChar:this.indentate(e)+"<"+a+">"+n+""+t+"${t}`;else if("object"==typeof t&&null!==t){const i=this.buildRawContent(t),s=this.buildAttributesForStopNode(t);e+=""===i?`<${n}${s}/>`:`<${n}${s}>${i}`}}else if("object"==typeof i&&null!==i){const t=this.buildRawContent(i),s=this.buildAttributesForStopNode(i);e+=""===t?`<${n}${s}/>`:`<${n}${s}>${t}`}else e+=`<${n}>${i}`}return e},kt.prototype.buildAttributesForStopNode=function(t){if(!t||"object"!=typeof t)return"";let e="";if(this.options.attributesGroupName&&t[this.options.attributesGroupName]){const n=t[this.options.attributesGroupName];for(let t in n){if(!Object.prototype.hasOwnProperty.call(n,t))continue;const i=t.startsWith(this.options.attributeNamePrefix)?t.substring(this.options.attributeNamePrefix.length):t,s=n[t];!0===s&&this.options.suppressBooleanAttributes?e+=" "+i:e+=" "+i+'="'+s+'"'}}else for(let n in t){if(!Object.prototype.hasOwnProperty.call(t,n))continue;const i=this.isAttribute(n);if(i){const s=t[n];!0===s&&this.options.suppressBooleanAttributes?e+=" "+i:e+=" "+i+'="'+s+'"'}}return e},kt.prototype.buildObjectNode=function(t,e,n,i){if(""===t)return"?"===e[0]?this.indentate(i)+"<"+e+n+"?"+this.tagEndChar:this.indentate(i)+"<"+e+n+this.closeTag(e)+this.tagEndChar;{let s=""+t+s}},kt.prototype.closeTag=function(t){let e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":`>/g,"]]]]>");return this.indentate(i)+``+this.newLine}if(!1!==this.options.commentPropName&&e===this.options.commentPropName){const e=String(t).replace(/--/g,"- -").replace(/-$/,"- ");return this.indentate(i)+`\x3c!--${e}--\x3e`+this.newLine}if("?"===e[0])return this.indentate(i)+"<"+e+n+"?"+this.tagEndChar;{let s=this.options.tagValueProcessor(e,t);return s=this.replaceEntitiesValue(s),""===s?this.indentate(i)+"<"+e+n+this.closeTag(e)+this.tagEndChar:this.indentate(i)+"<"+e+n+">"+s+"0&&this.options.processEntities)for(let e=0;e seg.type === 'deep-wildcard'); this._hasAttributeCondition = this.segments.some(seg => seg.attrName !== undefined); @@ -214491,56 +214491,206 @@ class Expression { } } ;// CONCATENATED MODULE: ./node_modules/path-expression-matcher/src/Matcher.js + + /** - * Matcher - Tracks current path in XML/JSON tree and matches against Expressions - * + * MatcherView - A lightweight read-only view over a Matcher's internal state. + * + * Created once by Matcher and reused across all callbacks. Holds a direct + * reference to the parent Matcher so it always reflects current parser state + * with zero copying or freezing overhead. + * + * Users receive this via {@link Matcher#readOnly} or directly from parser + * callbacks. It exposes all query and matching methods but has no mutation + * methods — misuse is caught at the TypeScript level rather than at runtime. + * + * @example + * const matcher = new Matcher(); + * const view = matcher.readOnly(); + * + * matcher.push("root", {}); + * view.getCurrentTag(); // "root" + * view.getDepth(); // 1 + */ +class MatcherView { + /** + * @param {Matcher} matcher - The parent Matcher instance to read from. + */ + constructor(matcher) { + this._matcher = matcher; + } + + /** + * Get the path separator used by the parent matcher. + * @returns {string} + */ + get separator() { + return this._matcher.separator; + } + + /** + * Get current tag name. + * @returns {string|undefined} + */ + getCurrentTag() { + const path = this._matcher.path; + return path.length > 0 ? path[path.length - 1].tag : undefined; + } + + /** + * Get current namespace. + * @returns {string|undefined} + */ + getCurrentNamespace() { + const path = this._matcher.path; + return path.length > 0 ? path[path.length - 1].namespace : undefined; + } + + /** + * Get current node's attribute value. + * @param {string} attrName + * @returns {*} + */ + getAttrValue(attrName) { + const path = this._matcher.path; + if (path.length === 0) return undefined; + return path[path.length - 1].values?.[attrName]; + } + + /** + * Check if current node has an attribute. + * @param {string} attrName + * @returns {boolean} + */ + hasAttr(attrName) { + const path = this._matcher.path; + if (path.length === 0) return false; + const current = path[path.length - 1]; + return current.values !== undefined && attrName in current.values; + } + + /** + * Get current node's sibling position (child index in parent). + * @returns {number} + */ + getPosition() { + const path = this._matcher.path; + if (path.length === 0) return -1; + return path[path.length - 1].position ?? 0; + } + + /** + * Get current node's repeat counter (occurrence count of this tag name). + * @returns {number} + */ + getCounter() { + const path = this._matcher.path; + if (path.length === 0) return -1; + return path[path.length - 1].counter ?? 0; + } + + /** + * Get current node's sibling index (alias for getPosition). + * @returns {number} + * @deprecated Use getPosition() or getCounter() instead + */ + getIndex() { + return this.getPosition(); + } + + /** + * Get current path depth. + * @returns {number} + */ + getDepth() { + return this._matcher.path.length; + } + + /** + * Get path as string. + * @param {string} [separator] - Optional separator (uses default if not provided) + * @param {boolean} [includeNamespace=true] + * @returns {string} + */ + toString(separator, includeNamespace = true) { + return this._matcher.toString(separator, includeNamespace); + } + + /** + * Get path as array of tag names. + * @returns {string[]} + */ + toArray() { + return this._matcher.path.map(n => n.tag); + } + + /** + * Match current path against an Expression. + * @param {Expression} expression + * @returns {boolean} + */ + matches(expression) { + return this._matcher.matches(expression); + } + + /** + * Match any expression in the given set against the current path. + * @param {ExpressionSet} exprSet + * @returns {boolean} + */ + matchesAny(exprSet) { + return exprSet.matchesAny(this._matcher); + } +} + +/** + * Matcher - Tracks current path in XML/JSON tree and matches against Expressions. + * * The matcher maintains a stack of nodes representing the current path from root to * current tag. It only stores attribute values for the current (top) node to minimize * memory usage. Sibling tracking is used to auto-calculate position and counter. - * + * + * Use {@link Matcher#readOnly} to obtain a {@link MatcherView} safe to pass to + * user callbacks — it always reflects current state with no Proxy overhead. + * * @example * const matcher = new Matcher(); * matcher.push("root", {}); * matcher.push("users", {}); * matcher.push("user", { id: "123", type: "admin" }); - * + * * const expr = new Expression("root.users.user"); * matcher.matches(expr); // true */ - -/** - * Names of methods that mutate Matcher state. - * Any attempt to call these on a read-only view throws a TypeError. - * @type {Set} - */ -const MUTATING_METHODS = new Set(['push', 'pop', 'reset', 'updateCurrent', 'restore']); - class Matcher { /** - * Create a new Matcher - * @param {Object} options - Configuration options - * @param {string} options.separator - Default path separator (default: '.') + * Create a new Matcher. + * @param {Object} [options={}] + * @param {string} [options.separator='.'] - Default path separator */ constructor(options = {}) { this.separator = options.separator || '.'; this.path = []; this.siblingStacks = []; - // Each path node: { tag: string, values: object, position: number, counter: number } + // Each path node: { tag, values, position, counter, namespace? } // values only present for current (last) node // Each siblingStacks entry: Map tracking occurrences at each level + this._pathStringCache = null; + this._view = new MatcherView(this); } /** - * Push a new tag onto the path - * @param {string} tagName - Name of the tag - * @param {Object} attrValues - Attribute key-value pairs for current node (optional) - * @param {string} namespace - Namespace for the tag (optional) + * Push a new tag onto the path. + * @param {string} tagName + * @param {Object|null} [attrValues=null] + * @param {string|null} [namespace=null] */ push(tagName, attrValues = null, namespace = null) { + this._pathStringCache = null; + // Remove values from previous current node (now becoming ancestor) if (this.path.length > 0) { - const prev = this.path[this.path.length - 1]; - prev.values = undefined; + this.path[this.path.length - 1].values = undefined; } // Get or create sibling tracking for current level @@ -214573,12 +214723,10 @@ class Matcher { counter: counter }; - // Store namespace if provided if (namespace !== null && namespace !== undefined) { node.namespace = namespace; } - // Store values only for current node if (attrValues !== null && attrValues !== undefined) { node.values = attrValues; } @@ -214587,19 +214735,15 @@ class Matcher { } /** - * Pop the last tag from the path + * Pop the last tag from the path. * @returns {Object|undefined} The popped node */ pop() { - if (this.path.length === 0) { - return undefined; - } + if (this.path.length === 0) return undefined; + this._pathStringCache = null; const node = this.path.pop(); - // Clean up sibling tracking for levels deeper than current - // After pop, path.length is the new depth - // We need to clean up siblingStacks[path.length + 1] and beyond if (this.siblingStacks.length > this.path.length + 1) { this.siblingStacks.length = this.path.length + 1; } @@ -214608,9 +214752,9 @@ class Matcher { } /** - * Update current node's attribute values - * Useful when attributes are parsed after push - * @param {Object} attrValues - Attribute values + * Update current node's attribute values. + * Useful when attributes are parsed after push. + * @param {Object} attrValues */ updateCurrent(attrValues) { if (this.path.length > 0) { @@ -214622,7 +214766,7 @@ class Matcher { } /** - * Get current tag name + * Get current tag name. * @returns {string|undefined} */ getCurrentTag() { @@ -214630,7 +214774,7 @@ class Matcher { } /** - * Get current namespace + * Get current namespace. * @returns {string|undefined} */ getCurrentNamespace() { @@ -214638,19 +214782,18 @@ class Matcher { } /** - * Get current node's attribute value - * @param {string} attrName - Attribute name - * @returns {*} Attribute value or undefined + * Get current node's attribute value. + * @param {string} attrName + * @returns {*} */ getAttrValue(attrName) { if (this.path.length === 0) return undefined; - const current = this.path[this.path.length - 1]; - return current.values?.[attrName]; + return this.path[this.path.length - 1].values?.[attrName]; } /** - * Check if current node has an attribute - * @param {string} attrName - Attribute name + * Check if current node has an attribute. + * @param {string} attrName * @returns {boolean} */ hasAttr(attrName) { @@ -214660,7 +214803,7 @@ class Matcher { } /** - * Get current node's sibling position (child index in parent) + * Get current node's sibling position (child index in parent). * @returns {number} */ getPosition() { @@ -214669,7 +214812,7 @@ class Matcher { } /** - * Get current node's repeat counter (occurrence count of this tag name) + * Get current node's repeat counter (occurrence count of this tag name). * @returns {number} */ getCounter() { @@ -214678,7 +214821,7 @@ class Matcher { } /** - * Get current node's sibling index (alias for getPosition for backward compatibility) + * Get current node's sibling index (alias for getPosition). * @returns {number} * @deprecated Use getPosition() or getCounter() instead */ @@ -214687,7 +214830,7 @@ class Matcher { } /** - * Get current path depth + * Get current path depth. * @returns {number} */ getDepth() { @@ -214695,23 +214838,33 @@ class Matcher { } /** - * Get path as string - * @param {string} separator - Optional separator (uses default if not provided) - * @param {boolean} includeNamespace - Whether to include namespace in output (default: true) + * Get path as string. + * @param {string} [separator] - Optional separator (uses default if not provided) + * @param {boolean} [includeNamespace=true] * @returns {string} */ toString(separator, includeNamespace = true) { const sep = separator || this.separator; - return this.path.map(n => { - if (includeNamespace && n.namespace) { - return `${n.namespace}:${n.tag}`; + const isDefault = (sep === this.separator && includeNamespace === true); + + if (isDefault) { + if (this._pathStringCache !== null) { + return this._pathStringCache; } - return n.tag; - }).join(sep); + const result = this.path.map(n => + (n.namespace) ? `${n.namespace}:${n.tag}` : n.tag + ).join(sep); + this._pathStringCache = result; + return result; + } + + return this.path.map(n => + (includeNamespace && n.namespace) ? `${n.namespace}:${n.tag}` : n.tag + ).join(sep); } /** - * Get path as array of tag names + * Get path as array of tag names. * @returns {string[]} */ toArray() { @@ -214719,17 +214872,18 @@ class Matcher { } /** - * Reset the path to empty + * Reset the path to empty. */ reset() { + this._pathStringCache = null; this.path = []; this.siblingStacks = []; } /** - * Match current path against an Expression - * @param {Expression} expression - The expression to match against - * @returns {boolean} True if current path matches the expression + * Match current path against an Expression. + * @param {Expression} expression + * @returns {boolean} */ matches(expression) { const segments = expression.segments; @@ -214738,32 +214892,23 @@ class Matcher { return false; } - // Handle deep wildcard patterns if (expression.hasDeepWildcard()) { return this._matchWithDeepWildcard(segments); } - // Simple path matching (no deep wildcards) return this._matchSimple(segments); } /** - * Match simple path (no deep wildcards) * @private */ _matchSimple(segments) { - // Path must be same length as segments if (this.path.length !== segments.length) { return false; } - // Match each segment bottom-to-top for (let i = 0; i < segments.length; i++) { - const segment = segments[i]; - const node = this.path[i]; - const isCurrentNode = (i === this.path.length - 1); - - if (!this._matchSegment(segment, node, isCurrentNode)) { + if (!this._matchSegment(segments[i], this.path[i], i === this.path.length - 1)) { return false; } } @@ -214772,32 +214917,27 @@ class Matcher { } /** - * Match path with deep wildcards * @private */ _matchWithDeepWildcard(segments) { - let pathIdx = this.path.length - 1; // Start from current node (bottom) - let segIdx = segments.length - 1; // Start from last segment + let pathIdx = this.path.length - 1; + let segIdx = segments.length - 1; while (segIdx >= 0 && pathIdx >= 0) { const segment = segments[segIdx]; if (segment.type === 'deep-wildcard') { - // ".." matches zero or more levels segIdx--; if (segIdx < 0) { - // Pattern ends with "..", always matches return true; } - // Find where next segment matches in the path const nextSeg = segments[segIdx]; let found = false; for (let i = pathIdx; i >= 0; i--) { - const isCurrentNode = (i === this.path.length - 1); - if (this._matchSegment(nextSeg, this.path[i], isCurrentNode)) { + if (this._matchSegment(nextSeg, this.path[i], i === this.path.length - 1)) { pathIdx = i - 1; segIdx--; found = true; @@ -214809,9 +214949,7 @@ class Matcher { return false; } } else { - // Regular segment - const isCurrentNode = (pathIdx === this.path.length - 1); - if (!this._matchSegment(segment, this.path[pathIdx], isCurrentNode)) { + if (!this._matchSegment(segment, this.path[pathIdx], pathIdx === this.path.length - 1)) { return false; } pathIdx--; @@ -214819,38 +214957,25 @@ class Matcher { } } - // All segments must be consumed return segIdx < 0; } /** - * Match a single segment against a node * @private - * @param {Object} segment - Segment from Expression - * @param {Object} node - Node from path - * @param {boolean} isCurrentNode - Whether this is the current (last) node - * @returns {boolean} */ _matchSegment(segment, node, isCurrentNode) { - // Match tag name (* is wildcard) if (segment.tag !== '*' && segment.tag !== node.tag) { return false; } - // Match namespace if specified in segment if (segment.namespace !== undefined) { - // Segment has namespace - node must match it if (segment.namespace !== '*' && segment.namespace !== node.namespace) { return false; } } - // If segment has no namespace, it matches nodes with or without namespace - // Match attribute name (check if node has this attribute) - // Can only check for current node since ancestors don't have values if (segment.attrName !== undefined) { if (!isCurrentNode) { - // Can't check attributes for ancestor nodes (values not stored) return false; } @@ -214858,20 +214983,15 @@ class Matcher { return false; } - // Match attribute value (only possible for current node) if (segment.attrValue !== undefined) { - const actualValue = node.values[segment.attrName]; - // Both should be strings - if (String(actualValue) !== String(segment.attrValue)) { + if (String(node.values[segment.attrName]) !== String(segment.attrValue)) { return false; } } } - // Match position (only for current node) if (segment.position !== undefined) { if (!isCurrentNode) { - // Can't check position for ancestor nodes return false; } @@ -214883,10 +215003,8 @@ class Matcher { return false; } else if (segment.position === 'even' && counter % 2 !== 0) { return false; - } else if (segment.position === 'nth') { - if (counter !== segment.positionValue) { - return false; - } + } else if (segment.position === 'nth' && counter !== segment.positionValue) { + return false; } } @@ -214894,8 +215012,17 @@ class Matcher { } /** - * Create a snapshot of current state - * @returns {Object} State snapshot + * Match any expression in the given set against the current path. + * @param {ExpressionSet} exprSet + * @returns {boolean} + */ + matchesAny(exprSet) { + return exprSet.matchesAny(this); + } + + /** + * Create a snapshot of current state. + * @returns {Object} */ snapshot() { return { @@ -214905,88 +215032,33 @@ class Matcher { } /** - * Restore state from snapshot - * @param {Object} snapshot - State snapshot + * Restore state from snapshot. + * @param {Object} snapshot */ restore(snapshot) { + this._pathStringCache = null; this.path = snapshot.path.map(node => ({ ...node })); this.siblingStacks = snapshot.siblingStacks.map(map => new Map(map)); } /** - * Return a read-only view of this matcher. + * Return the read-only {@link MatcherView} for this matcher. * - * The returned object exposes all query/inspection methods but throws a - * TypeError if any state-mutating method is called (`push`, `pop`, `reset`, - * `updateCurrent`, `restore`). Property reads (e.g. `.path`, `.separator`) - * are allowed but the returned arrays/objects are frozen so callers cannot - * mutate internal state through them either. + * The same instance is returned on every call — no allocation occurs. + * It always reflects the current parser state and is safe to pass to + * user callbacks without risk of accidental mutation. * - * @returns {ReadOnlyMatcher} A proxy that forwards read operations and blocks writes. + * @returns {MatcherView} * * @example - * const matcher = new Matcher(); - * matcher.push("root", {}); - * - * const ro = matcher.readOnly(); - * ro.matches(expr); // ✓ works - * ro.getCurrentTag(); // ✓ works - * ro.push("child", {}); // ✗ throws TypeError - * ro.reset(); // ✗ throws TypeError + * const view = matcher.readOnly(); + * // pass view to callbacks — it stays in sync automatically + * view.matches(expr); // ✓ + * view.getCurrentTag(); // ✓ + * // view.push(...) // ✗ method does not exist — caught by TypeScript */ readOnly() { - const self = this; - - return new Proxy(self, { - get(target, prop, receiver) { - // Block mutating methods - if (MUTATING_METHODS.has(prop)) { - return () => { - throw new TypeError( - `Cannot call '${prop}' on a read-only Matcher. ` + - `Obtain a writable instance to mutate state.` - ); - }; - } - - const value = Reflect.get(target, prop, receiver); - - // Freeze array/object properties so callers can't mutate internal - // state through direct property access (e.g. matcher.path.push(...)) - if (prop === 'path' || prop === 'siblingStacks') { - return Object.freeze( - Array.isArray(value) - ? value.map(item => - item instanceof Map - ? Object.freeze(new Map(item)) // freeze a copy of each Map - : Object.freeze({ ...item }) // freeze a copy of each node - ) - : value - ); - } - - // Bind methods so `this` inside them still refers to the real Matcher - if (typeof value === 'function') { - return value.bind(target); - } - - return value; - }, - - // Prevent any property assignment on the read-only view - set(_target, prop) { - throw new TypeError( - `Cannot set property '${String(prop)}' on a read-only Matcher.` - ); - }, - - // Prevent property deletion - deleteProperty(_target, prop) { - throw new TypeError( - `Cannot delete property '${String(prop)}' from a read-only Matcher.` - ); - } - }); + return this._view; } } ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/orderedJs2Xml.js @@ -215074,12 +215146,18 @@ function arrToStr(arr, options, indentation, matcher, stopNodeExpressions) { if (isPreviousElementTag) { xmlStr += indentation; } - xmlStr += ``; + const val = tagObj[tagName][0][options.textNodeName]; + const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + xmlStr += ``; isPreviousElementTag = false; matcher.pop(); continue; } else if (tagName === options.commentPropName) { - xmlStr += indentation + ``; + const val = tagObj[tagName][0][options.textNodeName] + const safeVal = String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/-$/, '- '); // trailing - would form -- with the closing --> + xmlStr += indentation + ``; isPreviousElementTag = true; matcher.pop(); continue; @@ -215282,6 +215360,14 @@ function replaceEntitiesValue(textValue, options) { } return textValue; } + +function cdataVal(val) { + +} + +function commentVal(val) { + +} ;// CONCATENATED MODULE: ./node_modules/fast-xml-builder/src/ignoreAttributes.js function getIgnoreAttributesFn(ignoreAttributes) { if (typeof ignoreAttributes === 'function') { @@ -215790,9 +215876,13 @@ function buildEmptyObjNode(val, key, attrStr, level) { Builder.prototype.buildTextValNode = function (val, key, attrStr, level, matcher) { if (this.options.cdataPropName !== false && key === this.options.cdataPropName) { - return this.indentate(level) + `` + this.newLine; + const safeVal = String(val).replace(/\]\]>/g, ']]]]>'); + return this.indentate(level) + `` + this.newLine; } else if (this.options.commentPropName !== false && key === this.options.commentPropName) { - return this.indentate(level) + `` + this.newLine; + const safeVal = String(val) + .replace(/--/g, '- -') // -- is illegal anywhere in comment content + .replace(/-$/, '- '); // trailing - would form -- with the closing --> + return this.indentate(level) + `` + this.newLine; } else if (key[0] === "?") {//PI tag return this.indentate(level) + '<' + key + attrStr + '?' + this.tagEndChar; } else { @@ -216341,6 +216431,7 @@ const XMLValidator = { ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OptionsBuilder.js + const defaultOnDangerousProperty = (name) => { if (DANGEROUS_PROPERTY_NAMES.includes(name)) { return "__" + name; @@ -216380,6 +216471,7 @@ const OptionsBuilder_defaultOptions = { unpairedTags: [], processEntities: true, htmlEntities: false, + entityDecoder: null, ignoreDeclaration: false, ignorePiTags: false, transformTagName: false, @@ -216426,18 +216518,19 @@ function validatePropertyName(propertyName, optionName) { * @param {boolean|object} value * @returns {object} Always returns normalized object */ -function normalizeProcessEntities(value) { +function normalizeProcessEntities(value, htmlEntities) { // Boolean backward compatibility if (typeof value === 'boolean') { return { enabled: value, // true or false maxEntitySize: 10000, - maxExpansionDepth: 10, - maxTotalExpansions: 1000, + maxExpansionDepth: 10000, + maxTotalExpansions: Infinity, maxExpandedLength: 100000, - maxEntityCount: 100, + maxEntityCount: 1000, allowedTags: null, - tagFilter: null + tagFilter: null, + appliesTo: "all", }; } @@ -216446,12 +216539,13 @@ function normalizeProcessEntities(value) { return { enabled: value.enabled !== false, maxEntitySize: Math.max(1, value.maxEntitySize ?? 10000), - maxExpansionDepth: Math.max(1, value.maxExpansionDepth ?? 10), - maxTotalExpansions: Math.max(1, value.maxTotalExpansions ?? 1000), + maxExpansionDepth: Math.max(1, value.maxExpansionDepth ?? 10000), + maxTotalExpansions: Math.max(1, value.maxTotalExpansions ?? Infinity), maxExpandedLength: Math.max(1, value.maxExpandedLength ?? 100000), - maxEntityCount: Math.max(1, value.maxEntityCount ?? 100), + maxEntityCount: Math.max(1, value.maxEntityCount ?? 1000), allowedTags: value.allowedTags ?? null, - tagFilter: value.tagFilter ?? null + tagFilter: value.tagFilter ?? null, + appliesTo: value.appliesTo ?? "all", }; } @@ -216482,8 +216576,8 @@ const buildOptions = function (options) { } // Always normalize processEntities for backward compatibility and validation - built.processEntities = normalizeProcessEntities(built.processEntities); - + built.processEntities = normalizeProcessEntities(built.processEntities, built.htmlEntities); + built.unpairedTagsSet = new Set(built.unpairedTags); // Convert old-style stopNodes for backward compatibility if (built.stopNodes && Array.isArray(built.stopNodes)) { built.stopNodes = built.stopNodes.map(node => { @@ -216578,11 +216672,8 @@ class DocTypeReader { ); } //const escaped = entityName.replace(/[.\-+*:]/g, '\\.'); - const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); - entities[entityName] = { - regx: RegExp(`&${escaped};`, "g"), - val: val - }; + //const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); + entities[entityName] = val; entityCount++; } } @@ -216974,8 +217065,9 @@ function toNumber(str, options = {}) { let trimmedStr = str.trim(); - if (options.skipLike !== undefined && options.skipLike.test(trimmedStr)) return str; - else if (str === "0") return 0; + if (trimmedStr.length === 0) return str; + else if (options.skipLike !== undefined && options.skipLike.test(trimmedStr)) return str; + else if (trimmedStr === "0") return 0; else if (options.hex && hexRegex.test(trimmedStr)) { return parse_int(trimmedStr, 16); // }else if (options.oct && octRegex.test(str)) { @@ -217051,11 +217143,16 @@ function resolveEnotation(str, trimmedStr, options) { else if (leadingZeros.length === 1 && (notation[3].startsWith(`.${eChar}`) || notation[3][0] === eChar)) { return Number(trimmedStr); - } else if (options.leadingZeros && !eAdjacentToLeadingZeros) { //accept with leading zeros - //remove leading 0s - trimmedStr = (notation[1] || "") + notation[3]; + } else if (leadingZeros.length > 0) { + // Has leading zeros — only accept if leadingZeros option allows it + if (options.leadingZeros && !eAdjacentToLeadingZeros) { + trimmedStr = (notation[1] || "") + notation[3]; + return Number(trimmedStr); + } else return str; + } else { + // No leading zeros — always valid e-notation, parse it return Number(trimmedStr); - } else return str; + } } else { return str; } @@ -217126,6 +217223,1939 @@ function ignoreAttributes_getIgnoreAttributesFn(ignoreAttributes) { } return () => false } +;// CONCATENATED MODULE: ./node_modules/path-expression-matcher/src/ExpressionSet.js +/** + * ExpressionSet - An indexed collection of Expressions for efficient bulk matching + * + * Instead of iterating all expressions on every tag, ExpressionSet pre-indexes + * them at insertion time by depth and terminal tag name. At match time, only + * the relevant bucket is evaluated — typically reducing checks from O(E) to O(1) + * lookup plus O(small bucket) matches. + * + * Three buckets are maintained: + * - `_byDepthAndTag` — exact depth + exact tag name (tightest, used first) + * - `_wildcardByDepth` — exact depth + wildcard tag `*` (depth-matched only) + * - `_deepWildcards` — expressions containing `..` (cannot be depth-indexed) + * + * @example + * import { Expression, ExpressionSet } from 'fast-xml-tagger'; + * + * // Build once at config time + * const stopNodes = new ExpressionSet(); + * stopNodes.add(new Expression('root.users.user')); + * stopNodes.add(new Expression('root.config.setting')); + * stopNodes.add(new Expression('..script')); + * + * // Query on every tag — hot path + * if (stopNodes.matchesAny(matcher)) { ... } + */ +class ExpressionSet { + constructor() { + /** @type {Map} depth:tag → expressions */ + this._byDepthAndTag = new Map(); + + /** @type {Map} depth → wildcard-tag expressions */ + this._wildcardByDepth = new Map(); + + /** @type {import('./Expression.js').default[]} expressions containing deep wildcard (..) */ + this._deepWildcards = []; + + /** @type {Set} pattern strings already added — used for deduplication */ + this._patterns = new Set(); + + /** @type {boolean} whether the set is sealed against further additions */ + this._sealed = false; + } + + /** + * Add an Expression to the set. + * Duplicate patterns (same pattern string) are silently ignored. + * + * @param {import('./Expression.js').default} expression - A pre-constructed Expression instance + * @returns {this} for chaining + * @throws {TypeError} if called after seal() + * + * @example + * set.add(new Expression('root.users.user')); + * set.add(new Expression('..script')); + */ + add(expression) { + if (this._sealed) { + throw new TypeError( + 'ExpressionSet is sealed. Create a new ExpressionSet to add more expressions.' + ); + } + + // Deduplicate by pattern string + if (this._patterns.has(expression.pattern)) return this; + this._patterns.add(expression.pattern); + + if (expression.hasDeepWildcard()) { + this._deepWildcards.push(expression); + return this; + } + + const depth = expression.length; + const lastSeg = expression.segments[expression.segments.length - 1]; + const tag = lastSeg?.tag; + + if (!tag || tag === '*') { + // Can index by depth but not by tag + if (!this._wildcardByDepth.has(depth)) this._wildcardByDepth.set(depth, []); + this._wildcardByDepth.get(depth).push(expression); + } else { + // Tightest bucket: depth + tag + const key = `${depth}:${tag}`; + if (!this._byDepthAndTag.has(key)) this._byDepthAndTag.set(key, []); + this._byDepthAndTag.get(key).push(expression); + } + + return this; + } + + /** + * Add multiple expressions at once. + * + * @param {import('./Expression.js').default[]} expressions - Array of Expression instances + * @returns {this} for chaining + * + * @example + * set.addAll([ + * new Expression('root.users.user'), + * new Expression('root.config.setting'), + * ]); + */ + addAll(expressions) { + for (const expr of expressions) this.add(expr); + return this; + } + + /** + * Check whether a pattern string is already present in the set. + * + * @param {import('./Expression.js').default} expression + * @returns {boolean} + */ + has(expression) { + return this._patterns.has(expression.pattern); + } + + /** + * Number of expressions in the set. + * @type {number} + */ + get size() { + return this._patterns.size; + } + + /** + * Seal the set against further modifications. + * Useful to prevent accidental mutations after config is built. + * Calling add() or addAll() on a sealed set throws a TypeError. + * + * @returns {this} + */ + seal() { + this._sealed = true; + return this; + } + + /** + * Whether the set has been sealed. + * @type {boolean} + */ + get isSealed() { + return this._sealed; + } + + /** + * Test whether the matcher's current path matches any expression in the set. + * + * Evaluation order (cheapest → most expensive): + * 1. Exact depth + tag bucket — O(1) lookup, typically 0–2 expressions + * 2. Depth-only wildcard bucket — O(1) lookup, rare + * 3. Deep-wildcard list — always checked, but usually small + * + * @param {import('./Matcher.js').default} matcher - Matcher instance (or readOnly view) + * @returns {boolean} true if any expression matches the current path + * + * @example + * if (stopNodes.matchesAny(matcher)) { + * // handle stop node + * } + */ + matchesAny(matcher) { + return this.findMatch(matcher) !== null; + } + /** + * Find and return the first Expression that matches the matcher's current path. + * + * Uses the same evaluation order as matchesAny (cheapest → most expensive): + * 1. Exact depth + tag bucket + * 2. Depth-only wildcard bucket + * 3. Deep-wildcard list + * + * @param {import('./Matcher.js').default} matcher - Matcher instance (or readOnly view) + * @returns {import('./Expression.js').default | null} the first matching Expression, or null + * + * @example + * const expr = stopNodes.findMatch(matcher); + * if (expr) { + * // access expr.config, expr.pattern, etc. + * } + */ + findMatch(matcher) { + const depth = matcher.getDepth(); + const tag = matcher.getCurrentTag(); + + // 1. Tightest bucket — most expressions live here + const exactKey = `${depth}:${tag}`; + const exactBucket = this._byDepthAndTag.get(exactKey); + if (exactBucket) { + for (let i = 0; i < exactBucket.length; i++) { + if (matcher.matches(exactBucket[i])) return exactBucket[i]; + } + } + + // 2. Depth-matched wildcard-tag expressions + const wildcardBucket = this._wildcardByDepth.get(depth); + if (wildcardBucket) { + for (let i = 0; i < wildcardBucket.length; i++) { + if (matcher.matches(wildcardBucket[i])) return wildcardBucket[i]; + } + } + + // 3. Deep wildcards — cannot be pre-filtered by depth or tag + for (let i = 0; i < this._deepWildcards.length; i++) { + if (matcher.matches(this._deepWildcards[i])) return this._deepWildcards[i]; + } + + return null; + } +} + +;// CONCATENATED MODULE: ./node_modules/@nodable/entities/src/entities.js +// --------------------------------------------------------------------------- +// Complete HTML5 named entity reference +// Organized by logical categories for easy maintenance and selective importing +// --------------------------------------------------------------------------- + +/** + * Basic Latin & Special Characters + * @type {Record} + */ +const BASIC_LATIN = { + amp: '&', + AMP: '&', + lt: '<', + LT: '<', + gt: '>', + GT: '>', + quot: '"', + QUOT: '"', + apos: "'", + lsquo: '‘', + rsquo: '’', + ldquo: '“', + rdquo: '”', + lsquor: '‚', + rsquor: '’', + ldquor: '„', + bdquo: '„', + comma: ',', + period: '.', + colon: ':', + semi: ';', + excl: '!', + quest: '?', + num: '#', + dollar: '$', + percent: '%', + amp: '&', + ast: '*', + commat: '@', + lowbar: '_', + verbar: '|', + vert: '|', + sol: '/', + bsol: '\\', + lbrace: '{', + rbrace: '}', + lbrack: '[', + rbrack: ']', + lpar: '(', + rpar: ')', + nbsp: '\u00a0', + iexcl: '¡', + cent: '¢', + pound: '£', + curren: '¤', + yen: '¥', + brvbar: '¦', + sect: '§', + uml: '¨', + copy: '©', + COPY: '©', + ordf: 'ª', + laquo: '«', + not: '¬', + shy: '\u00ad', + reg: '®', + REG: '®', + macr: '¯', + deg: '°', + plusmn: '±', + sup2: '²', + sup3: '³', + acute: '´', + micro: 'µ', + para: '¶', + middot: '·', + cedil: '¸', + sup1: '¹', + ordm: 'º', + raquo: '»', + frac14: '¼', + frac12: '½', + half: '½', + frac34: '¾', + iquest: '¿', + times: '×', + div: '÷', + divide: '÷', +}; + +/** + * Latin Extended & Accented Letters (A-Z) + * @type {Record} + */ +const LATIN_ACCENTS = { + Agrave: 'À', + agrave: 'à', + Aacute: 'Á', + aacute: 'á', + Acirc: 'Â', + acirc: 'â', + Atilde: 'Ã', + atilde: 'ã', + Auml: 'Ä', + auml: 'ä', + Aring: 'Å', + aring: 'å', + AElig: 'Æ', + aelig: 'æ', + Ccedil: 'Ç', + ccedil: 'ç', + Egrave: 'È', + egrave: 'è', + Eacute: 'É', + eacute: 'é', + Ecirc: 'Ê', + ecirc: 'ê', + Euml: 'Ë', + euml: 'ë', + Igrave: 'Ì', + igrave: 'ì', + Iacute: 'Í', + iacute: 'í', + Icirc: 'Î', + icirc: 'î', + Iuml: 'Ï', + iuml: 'ï', + ETH: 'Ð', + eth: 'ð', + Ntilde: 'Ñ', + ntilde: 'ñ', + Ograve: 'Ò', + ograve: 'ò', + Oacute: 'Ó', + oacute: 'ó', + Ocirc: 'Ô', + ocirc: 'ô', + Otilde: 'Õ', + otilde: 'õ', + Ouml: 'Ö', + ouml: 'ö', + Oslash: 'Ø', + oslash: 'ø', + Ugrave: 'Ù', + ugrave: 'ù', + Uacute: 'Ú', + uacute: 'ú', + Ucirc: 'Û', + ucirc: 'û', + Uuml: 'Ü', + uuml: 'ü', + Yacute: 'Ý', + yacute: 'ý', + THORN: 'Þ', + thorn: 'þ', + szlig: 'ß', + yuml: 'ÿ', + Yuml: 'Ÿ', +}; + +/** + * Latin Extended (Letters with diacritics) + * @type {Record} + */ +const LATIN_EXTENDED = { + Amacr: 'Ā', + amacr: 'ā', + Abreve: 'Ă', + abreve: 'ă', + Aogon: 'Ą', + aogon: 'ą', + Cacute: 'Ć', + cacute: 'ć', + Ccirc: 'Ĉ', + ccirc: 'ĉ', + Cdot: 'Ċ', + cdot: 'ċ', + Ccaron: 'Č', + ccaron: 'č', + Dcaron: 'Ď', + dcaron: 'ď', + Dstrok: 'Đ', + dstrok: 'đ', + Emacr: 'Ē', + emacr: 'ē', + Ecaron: 'Ě', + ecaron: 'ě', + Edot: 'Ė', + edot: 'ė', + Eogon: 'Ę', + eogon: 'ę', + Gcirc: 'Ĝ', + gcirc: 'ĝ', + Gbreve: 'Ğ', + gbreve: 'ğ', + Gdot: 'Ġ', + gdot: 'ġ', + Gcedil: 'Ģ', + Hcirc: 'Ĥ', + hcirc: 'ĥ', + Hstrok: 'Ħ', + hstrok: 'ħ', + Itilde: 'Ĩ', + itilde: 'ĩ', + Imacr: 'Ī', + imacr: 'ī', + Iogon: 'Į', + iogon: 'į', + Idot: 'İ', + IJlig: 'IJ', + ijlig: 'ij', + Jcirc: 'Ĵ', + jcirc: 'ĵ', + Kcedil: 'Ķ', + kcedil: 'ķ', + kgreen: 'ĸ', + Lacute: 'Ĺ', + lacute: 'ĺ', + Lcedil: 'Ļ', + lcedil: 'ļ', + Lcaron: 'Ľ', + lcaron: 'ľ', + Lmidot: 'Ŀ', + lmidot: 'ŀ', + Lstrok: 'Ł', + lstrok: 'ł', + Nacute: 'Ń', + nacute: 'ń', + Ncaron: 'Ň', + ncaron: 'ň', + Ncedil: 'Ņ', + ncedil: 'ņ', + ENG: 'Ŋ', + eng: 'ŋ', + Omacr: 'Ō', + omacr: 'ō', + Odblac: 'Ő', + odblac: 'ő', + OElig: 'Œ', + oelig: 'œ', + Racute: 'Ŕ', + racute: 'ŕ', + Rcaron: 'Ř', + rcaron: 'ř', + Rcedil: 'Ŗ', + rcedil: 'ŗ', + Sacute: 'Ś', + sacute: 'ś', + Scirc: 'Ŝ', + scirc: 'ŝ', + Scedil: 'Ş', + scedil: 'ş', + Scaron: 'Š', + scaron: 'š', + Tcedil: 'Ţ', + tcedil: 'ţ', + Tcaron: 'Ť', + tcaron: 'ť', + Tstrok: 'Ŧ', + tstrok: 'ŧ', + Utilde: 'Ũ', + utilde: 'ũ', + Umacr: 'Ū', + umacr: 'ū', + Ubreve: 'Ŭ', + ubreve: 'ŭ', + Uring: 'Ů', + uring: 'ů', + Udblac: 'Ű', + udblac: 'ű', + Uogon: 'Ų', + uogon: 'ų', + Wcirc: 'Ŵ', + wcirc: 'ŵ', + Ycirc: 'Ŷ', + ycirc: 'ŷ', + Zacute: 'Ź', + zacute: 'ź', + Zdot: 'Ż', + zdot: 'ż', + Zcaron: 'Ž', + zcaron: 'ž', +}; + +/** + * Greek Letters + * @type {Record} + */ +const GREEK = { + Alpha: 'Α', + alpha: 'α', + Beta: 'Β', + beta: 'β', + Gamma: 'Γ', + gamma: 'γ', + Delta: 'Δ', + delta: 'δ', + Epsilon: 'Ε', + epsilon: 'ε', + epsiv: 'ϵ', + varepsilon: 'ϵ', + Zeta: 'Ζ', + zeta: 'ζ', + Eta: 'Η', + eta: 'η', + Theta: 'Θ', + theta: 'θ', + thetasym: 'ϑ', + vartheta: 'ϑ', + Iota: 'Ι', + iota: 'ι', + Kappa: 'Κ', + kappa: 'κ', + kappav: 'ϰ', + varkappa: 'ϰ', + Lambda: 'Λ', + lambda: 'λ', + Mu: 'Μ', + mu: 'μ', + Nu: 'Ν', + nu: 'ν', + Xi: 'Ξ', + xi: 'ξ', + Omicron: 'Ο', + omicron: 'ο', + Pi: 'Π', + pi: 'π', + piv: 'ϖ', + varpi: 'ϖ', + Rho: 'Ρ', + rho: 'ρ', + rhov: 'ϱ', + varrho: 'ϱ', + Sigma: 'Σ', + sigma: 'σ', + sigmaf: 'ς', + sigmav: 'ς', + varsigma: 'ς', + Tau: 'Τ', + tau: 'τ', + Upsilon: 'Υ', + upsilon: 'υ', + upsi: 'υ', + Upsi: 'ϒ', + upsih: 'ϒ', + Phi: 'Φ', + phi: 'φ', + phiv: 'ϕ', + varphi: 'ϕ', + Chi: 'Χ', + chi: 'χ', + Psi: 'Ψ', + psi: 'ψ', + Omega: 'Ω', + omega: 'ω', + ohm: 'Ω', + Gammad: 'Ϝ', + gammad: 'ϝ', + digamma: 'ϝ', +}; + +/** + * Cyrillic Letters + * @type {Record} + */ +const CYRILLIC = { + Afr: '𝔄', + afr: '𝔞', + Acy: 'А', + acy: 'а', + Bcy: 'Б', + bcy: 'б', + Vcy: 'В', + vcy: 'в', + Gcy: 'Г', + gcy: 'г', + Dcy: 'Д', + dcy: 'д', + IEcy: 'Е', + iecy: 'е', + IOcy: 'Ё', + iocy: 'ё', + ZHcy: 'Ж', + zhcy: 'ж', + Zcy: 'З', + zcy: 'з', + Icy: 'И', + icy: 'и', + Jcy: 'Й', + jcy: 'й', + Kcy: 'К', + kcy: 'к', + Lcy: 'Л', + lcy: 'л', + Mcy: 'М', + mcy: 'м', + Ncy: 'Н', + ncy: 'н', + Ocy: 'О', + ocy: 'о', + Pcy: 'П', + pcy: 'п', + Rcy: 'Р', + rcy: 'р', + Scy: 'С', + scy: 'с', + Tcy: 'Т', + tcy: 'т', + Ucy: 'У', + ucy: 'у', + Fcy: 'Ф', + fcy: 'ф', + KHcy: 'Х', + khcy: 'х', + TScy: 'Ц', + tscy: 'ц', + CHcy: 'Ч', + chcy: 'ч', + SHcy: 'Ш', + shcy: 'ш', + SHCHcy: 'Щ', + shchcy: 'щ', + HARDcy: 'Ъ', + hardcy: 'ъ', + Ycy: 'Ы', + ycy: 'ы', + SOFTcy: 'Ь', + softcy: 'ь', + Ecy: 'Э', + ecy: 'э', + YUcy: 'Ю', + yucy: 'ю', + YAcy: 'Я', + yacy: 'я', + DJcy: 'Ђ', + djcy: 'ђ', + GJcy: 'Ѓ', + gjcy: 'ѓ', + Jukcy: 'Є', + jukcy: 'є', + DScy: 'Ѕ', + dscy: 'ѕ', + Iukcy: 'І', + iukcy: 'і', + YIcy: 'Ї', + yicy: 'ї', + Jsercy: 'Ј', + jsercy: 'ј', + LJcy: 'Љ', + ljcy: 'љ', + NJcy: 'Њ', + njcy: 'њ', + TSHcy: 'Ћ', + tshcy: 'ћ', + KJcy: 'Ќ', + kjcy: 'ќ', + Ubrcy: 'Ў', + ubrcy: 'ў', + DZcy: 'Џ', + dzcy: 'џ', +}; + +/** + * Mathematical Operators & Relations + * @type {Record} + */ +const MATH = { + plus: '+', + minus: '−', + mnplus: '∓', + mp: '∓', + pm: '±', + times: '×', + div: '÷', + divide: '÷', + sdot: '⋅', + star: '☆', + starf: '★', + bigstar: '★', + lowast: '∗', + ast: '*', + midast: '*', + compfn: '∘', + smallcircle: '∘', + bullet: '•', + bull: '•', + nbsp: '\u00a0', + hellip: '…', + mldr: '…', + prime: '′', + Prime: '″', + tprime: '‴', + bprime: '‵', + backprime: '‵', + minus: '−', + minusd: '∸', + dotminus: '∸', + plusdo: '∔', + dotplus: '∔', + plusmn: '±', + minusplus: '∓', + mnplus: '∓', + mp: '∓', + setminus: '∖', + smallsetminus: '∖', + Backslash: '∖', + setmn: '∖', + ssetmn: '∖', + lowbar: '_', + verbar: '|', + vert: '|', + VerticalLine: '|', + colon: ':', + Colon: '∷', + Proportion: '∷', + ratio: '∶', + equals: '=', + ne: '≠', + nequiv: '≢', + equiv: '≡', + Congruent: '≡', + sim: '∼', + thicksim: '∼', + thksim: '∼', + sime: '≃', + simeq: '≃', + TildeEqual: '≃', + asymp: '≈', + approx: '≈', + thickapprox: '≈', + thkap: '≈', + TildeTilde: '≈', + ncong: '≇', + cong: '≅', + TildeFullEqual: '≅', + asympeq: '≍', + CupCap: '≍', + bump: '≎', + Bumpeq: '≎', + HumpDownHump: '≎', + bumpe: '≏', + bumpeq: '≏', + HumpEqual: '≏', + dotminus: '∸', + minusd: '∸', + plusdo: '∔', + dotplus: '∔', + le: '≤', + LessEqual: '≤', + ge: '≥', + GreaterEqual: '≥', + lesseqgtr: '⋚', + lesseqqgtr: '⪋', + greater: '>', + less: '<', +}; + +/** + * Mathematical Operators (Advanced) + * @type {Record} + */ +const MATH_ADVANCED = { + alefsym: 'ℵ', + aleph: 'ℵ', + beth: 'ℶ', + gimel: 'ℷ', + daleth: 'ℸ', + forall: '∀', + ForAll: '∀', + part: '∂', + PartialD: '∂', + exist: '∃', + Exists: '∃', + nexist: '∄', + nexists: '∄', + empty: '∅', + emptyset: '∅', + emptyv: '∅', + varnothing: '∅', + nabla: '∇', + Del: '∇', + isin: '∈', + isinv: '∈', + in: '∈', + Element: '∈', + notin: '∉', + notinva: '∉', + ni: '∋', + niv: '∋', + SuchThat: '∋', + ReverseElement: '∋', + notni: '∌', + notniva: '∌', + prod: '∏', + Product: '∏', + coprod: '∐', + Coproduct: '∐', + sum: '∑', + Sum: '∑', + minus: '−', + mp: '∓', + plusdo: '∔', + dotplus: '∔', + setminus: '∖', + lowast: '∗', + radic: '√', + Sqrt: '√', + prop: '∝', + propto: '∝', + Proportional: '∝', + varpropto: '∝', + infin: '∞', + infintie: '⧝', + ang: '∠', + angle: '∠', + angmsd: '∡', + measuredangle: '∡', + angsph: '∢', + mid: '∣', + VerticalBar: '∣', + nmid: '∤', + nsmid: '∤', + npar: '∦', + parallel: '∥', + spar: '∥', + nparallel: '∦', + nspar: '∦', + and: '∧', + wedge: '∧', + or: '∨', + vee: '∨', + cap: '∩', + cup: '∪', + int: '∫', + Integral: '∫', + conint: '∮', + ContourIntegral: '∮', + Conint: '∯', + DoubleContourIntegral: '∯', + Cconint: '∰', + there4: '∴', + therefore: '∴', + Therefore: '∴', + becaus: '∵', + because: '∵', + Because: '∵', + ratio: '∶', + Proportion: '∷', + minusd: '∸', + dotminus: '∸', + mDDot: '∺', + homtht: '∻', + sim: '∼', + bsimg: '∽', + backsim: '∽', + ac: '∾', + mstpos: '∾', + acd: '∿', + VerticalTilde: '≀', + wr: '≀', + wreath: '≀', + nsime: '≄', + nsimeq: '≄', + nsimeq: '≄', + ncong: '≇', + simne: '≆', + ncongdot: '⩭̸', + ngsim: '≵', + nsim: '≁', + napprox: '≉', + nap: '≉', + ngeq: '≱', + nge: '≱', + nleq: '≰', + nle: '≰', + ngtr: '≯', + ngt: '≯', + nless: '≮', + nlt: '≮', + nprec: '⊀', + npr: '⊀', + nsucc: '⊁', + nsc: '⊁', +}; + +/** + * Arrows + * @type {Record} + */ +const ARROWS = { + larr: '←', + leftarrow: '←', + LeftArrow: '←', + uarr: '↑', + uparrow: '↑', + UpArrow: '↑', + rarr: '→', + rightarrow: '→', + RightArrow: '→', + darr: '↓', + downarrow: '↓', + DownArrow: '↓', + harr: '↔', + leftrightarrow: '↔', + LeftRightArrow: '↔', + varr: '↕', + updownarrow: '↕', + UpDownArrow: '↕', + nwarr: '↖', + nwarrow: '↖', + UpperLeftArrow: '↖', + nearr: '↗', + nearrow: '↗', + UpperRightArrow: '↗', + searr: '↘', + searrow: '↘', + LowerRightArrow: '↘', + swarr: '↙', + swarrow: '↙', + LowerLeftArrow: '↙', + lArr: '⇐', + Leftarrow: '⇐', + uArr: '⇑', + Uparrow: '⇑', + rArr: '⇒', + Rightarrow: '⇒', + dArr: '⇓', + Downarrow: '⇓', + hArr: '⇔', + Leftrightarrow: '⇔', + iff: '⇔', + vArr: '⇕', + Updownarrow: '⇕', + lAarr: '⇚', + Lleftarrow: '⇚', + rAarr: '⇛', + Rrightarrow: '⇛', + lrarr: '⇆', + leftrightarrows: '⇆', + rlarr: '⇄', + rightleftarrows: '⇄', + lrhar: '⇋', + leftrightharpoons: '⇋', + ReverseEquilibrium: '⇋', + rlhar: '⇌', + rightleftharpoons: '⇌', + Equilibrium: '⇌', + udarr: '⇅', + UpArrowDownArrow: '⇅', + duarr: '⇵', + DownArrowUpArrow: '⇵', + llarr: '⇇', + leftleftarrows: '⇇', + rrarr: '⇉', + rightrightarrows: '⇉', + ddarr: '⇊', + downdownarrows: '⇊', + har: '↽', + lhard: '↽', + leftharpoondown: '↽', + lharu: '↼', + leftharpoonup: '↼', + rhard: '⇁', + rightharpoondown: '⇁', + rharu: '⇀', + rightharpoonup: '⇀', + lsh: '↰', + Lsh: '↰', + rsh: '↱', + Rsh: '↱', + ldsh: '↲', + rdsh: '↳', + hookleftarrow: '↩', + hookrightarrow: '↪', + mapstoleft: '↤', + mapstoup: '↥', + map: '↦', + mapsto: '↦', + mapstodown: '↧', + crarr: '↵', + nwarrow: '↖', + nearrow: '↗', + searrow: '↘', + swarrow: '↙', + nleftarrow: '↚', + nleftrightarrow: '↮', + nrightarrow: '↛', + nrarr: '↛', + larrtl: '↢', + rarrtl: '↣', + leftarrowtail: '↢', + rightarrowtail: '↣', + twoheadleftarrow: '↞', + twoheadrightarrow: '↠', + Larr: '↞', + Rarr: '↠', + larrhk: '↩', + rarrhk: '↪', + larrlp: '↫', + looparrowleft: '↫', + rarrlp: '↬', + looparrowright: '↬', + harrw: '↭', + leftrightsquigarrow: '↭', + nrarrw: '↝̸', + rarrw: '↝', + rightsquigarrow: '↝', + larrbfs: '⤟', + rarrbfs: '⤠', + nvHarr: '⤄', + nvlArr: '⤂', + nvrArr: '⤃', + larrfs: '⤝', + rarrfs: '⤞', + Map: '⤅', + larrsim: '⥳', + rarrsim: '⥴', + harrcir: '⥈', + Uarrocir: '⥉', + lurdshar: '⥊', + ldrdhar: '⥧', + ldrushar: '⥋', + rdldhar: '⥩', + lrhard: '⥭', + rlhar: '⇌', + uharr: '↾', + uharl: '↿', + dharr: '⇂', + dharl: '⇃', + Uarr: '↟', + Darr: '↡', + zigrarr: '⇝', + nwArr: '⇖', + neArr: '⇗', + seArr: '⇘', + swArr: '⇙', + nharr: '↮', + nhArr: '⇎', + nlarr: '↚', + nlArr: '⇍', + nrarr: '↛', + nrArr: '⇏', + larrb: '⇤', + LeftArrowBar: '⇤', + rarrb: '⇥', + RightArrowBar: '⇥', +}; + +/** + * Geometric Shapes + * @type {Record} + */ +const SHAPES = { + square: '□', + Square: '□', + squ: '□', + squf: '▪', + squarf: '▪', + blacksquar: '▪', + blacksquare: '▪', + FilledVerySmallSquare: '▪', + blk34: '▓', + blk12: '▒', + blk14: '░', + block: '█', + srect: '▭', + rect: '▭', + sdot: '⋅', + sdotb: '⊡', + dotsquare: '⊡', + triangle: '▵', + tri: '▵', + trine: '▵', + utri: '▵', + triangledown: '▿', + dtri: '▿', + tridown: '▿', + triangleleft: '◃', + ltri: '◃', + triangleright: '▹', + rtri: '▹', + blacktriangle: '▴', + utrif: '▴', + blacktriangledown: '▾', + dtrif: '▾', + blacktriangleleft: '◂', + ltrif: '◂', + blacktriangleright: '▸', + rtrif: '▸', + loz: '◊', + lozenge: '◊', + blacklozenge: '⧫', + lozf: '⧫', + bigcirc: '◯', + xcirc: '◯', + circ: 'ˆ', + Circle: '○', + cir: '○', + o: '○', + bullet: '•', + bull: '•', + hellip: '…', + mldr: '…', + nldr: '‥', + boxh: '─', + HorizontalLine: '─', + boxv: '│', + boxdr: '┌', + boxdl: '┐', + boxur: '└', + boxul: '┘', + boxvr: '├', + boxvl: '┤', + boxhd: '┬', + boxhu: '┴', + boxvh: '┼', + boxH: '═', + boxV: '║', + boxdR: '╒', + boxDr: '╓', + boxDR: '╔', + boxDl: '╕', + boxdL: '╖', + boxDL: '╗', + boxuR: '╘', + boxUr: '╙', + boxUR: '╚', + boxUl: '╜', + boxuL: '╛', + boxUL: '╝', + boxvR: '╞', + boxVr: '╟', + boxVR: '╠', + boxVl: '╢', + boxvL: '╡', + boxVL: '╣', + boxHd: '╤', + boxhD: '╥', + boxHD: '╦', + boxHu: '╧', + boxhU: '╨', + boxHU: '╩', + boxvH: '╪', + boxVh: '╫', + boxVH: '╬', +}; + +/** + * Punctuation & Diacritics + * @type {Record} + */ +const PUNCTUATION = { + excl: '!', + iexcl: '¡', + brvbar: '¦', + sect: '§', + uml: '¨', + copy: '©', + ordf: 'ª', + laquo: '«', + not: '¬', + shy: '\u00ad', + reg: '®', + macr: '¯', + deg: '°', + plusmn: '±', + sup2: '²', + sup3: '³', + acute: '´', + micro: 'µ', + para: '¶', + middot: '·', + cedil: '¸', + sup1: '¹', + ordm: 'º', + raquo: '»', + frac14: '¼', + frac12: '½', + frac34: '¾', + iquest: '¿', + nbsp: '\u00a0', + comma: ',', + period: '.', + colon: ':', + semi: ';', + vert: '|', + Verbar: '‖', + verbar: '|', + dblac: '˝', + circ: 'ˆ', + caron: 'ˇ', + breve: '˘', + dot: '˙', + ring: '˚', + ogon: '˛', + tilde: '˜', + DiacriticalGrave: '`', + DiacriticalAcute: '´', + DiacriticalTilde: '˜', + DiacriticalDot: '˙', + DiacriticalDoubleAcute: '˝', + grave: '`', + acute: '´', +}; + +/** + * Currency Symbols + * @type {Record} + */ +const CURRENCY = { + cent: '¢', + pound: '£', + curren: '¤', + yen: '¥', + euro: '€', + dollar: '$', + euro: '€', + fnof: 'ƒ', + inr: '₹', + af: '؋', + birr: 'ብር', + peso: '₱', + rub: '₽', + won: '₩', + yuan: '¥', + cedil: '¸', +}; + +/** + * Fractions + * @type {Record} + */ +const FRACTIONS = { + frac12: '½', + half: '½', + frac13: '⅓', + frac14: '¼', + frac15: '⅕', + frac16: '⅙', + frac18: '⅛', + frac23: '⅔', + frac25: '⅖', + frac34: '¾', + frac35: '⅗', + frac38: '⅜', + frac45: '⅘', + frac56: '⅚', + frac58: '⅝', + frac78: '⅞', + frasl: '⁄', +}; + +/** + * Miscellaneous Symbols + * @type {Record} + */ +const MISC_SYMBOLS = { + trade: '™', + TRADE: '™', + telrec: '⌕', + target: '⌖', + ulcorn: '⌜', + ulcorner: '⌜', + urcorn: '⌝', + urcorner: '⌝', + dlcorn: '⌞', + llcorner: '⌞', + drcorn: '⌟', + lrcorner: '⌟', + intercal: '⊺', + intcal: '⊺', + oplus: '⊕', + CirclePlus: '⊕', + ominus: '⊖', + CircleMinus: '⊖', + otimes: '⊗', + CircleTimes: '⊗', + osol: '⊘', + odot: '⊙', + CircleDot: '⊙', + oast: '⊛', + circledast: '⊛', + odash: '⊝', + circleddash: '⊝', + ocirc: '⊚', + circledcirc: '⊚', + boxplus: '⊞', + plusb: '⊞', + boxminus: '⊟', + minusb: '⊟', + boxtimes: '⊠', + timesb: '⊠', + boxdot: '⊡', + sdotb: '⊡', + veebar: '⊻', + vee: '∨', + barvee: '⊽', + and: '∧', + wedge: '∧', + Cap: '⋒', + Cup: '⋓', + Fork: '⋔', + pitchfork: '⋔', + epar: '⋕', + ltlarr: '⥶', + nvap: '≍⃒', + nvsim: '∼⃒', + nvge: '≥⃒', + nvle: '≤⃒', + nvlt: '<⃒', + nvgt: '>⃒', + nvltrie: '⊴⃒', + nvrtrie: '⊵⃒', + Vdash: '⊩', + dashv: '⊣', + vDash: '⊨', + Vdash: '⊩', + Vvdash: '⊪', + nvdash: '⊬', + nvDash: '⊭', + nVdash: '⊮', + nVDash: '⊯', +}; + +/** + * All entities combined (if you need everything) + * @type {Record} + */ +const ALL_ENTITIES = { + ...BASIC_LATIN, + ...LATIN_ACCENTS, + ...LATIN_EXTENDED, + ...GREEK, + ...CYRILLIC, + ...MATH, + ...MATH_ADVANCED, + ...ARROWS, + ...SHAPES, + ...PUNCTUATION, + ...CURRENCY, + ...FRACTIONS, + ...MISC_SYMBOLS, +}; + +const XML = { + amp: "&", + apos: "'", + gt: ">", + lt: "<", + quot: "\"" +} +const COMMON_HTML = { + nbsp: '\u00a0', + copy: '\u00a9', + reg: '\u00ae', + trade: '\u2122', + mdash: '\u2014', + ndash: '\u2013', + hellip: '\u2026', + laquo: '\u00ab', + raquo: '\u00bb', + lsquo: '\u2018', + rsquo: '\u2019', + ldquo: '\u201c', + rdquo: '\u201d', + bull: '\u2022', + para: '\u00b6', + sect: '\u00a7', + deg: '\u00b0', + frac12: '\u00bd', + frac14: '\u00bc', + frac34: '\u00be', +} +// --------------------------------------------------------------------------- +// Note: NUMERIC_ENTITIES (&#NNN; / &#xHH;) are handled by the scanner directly +// via String.fromCodePoint() without any map lookup. +// --------------------------------------------------------------------------- +;// CONCATENATED MODULE: ./node_modules/@nodable/entities/src/EntityDecoder.js +// --------------------------------------------------------------------------- +// Built-in named entity map (name → replacement string) +// No regex, no {regex,val} objects — just flat key/value pairs. +// --------------------------------------------------------------------------- + + + +// --------------------------------------------------------------------------- +// Helpers +// --------------------------------------------------------------------------- + +const SPECIAL_CHARS = new Set('!?\\\\/[]$%{}^&*()<>|+'); + +/** + * Validate that an entity name contains no dangerous characters. + * @param {string} name + * @returns {string} the name, unchanged + * @throws {Error} on invalid characters + */ +function EntityDecoder_validateEntityName(name) { + if (name[0] === '#') { + throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${name}"`); + } + for (const ch of name) { + if (SPECIAL_CHARS.has(ch)) { + throw new Error(`[EntityReplacer] Invalid character '${ch}' in entity name: "${name}"`); + } + } + return name; +} + +/** + * Merge one or more entity maps into a flat name→string map. + * Accepts either: + * - plain string values: { amp: '&' } + * - legacy {regex,val} / {regx,val}: { lt: { regex: /.../, val: '<' } } + * + * Values containing '&' are skipped (recursive expansion risk). + * + * @param {...object} maps + * @returns {Record} + */ +function mergeEntityMaps(...maps) { + const out = Object.create(null); + for (const map of maps) { + if (!map) continue; + for (const key of Object.keys(map)) { + const raw = map[key]; + if (typeof raw === 'string') { + out[key] = raw; + } else if (raw && typeof raw === 'object' && raw.val !== undefined) { + // Legacy {regex,val} or {regx,val} — extract the string val only + const val = raw.val; + if (typeof val === 'string') { + out[key] = val; + } + // function vals are not supported in the scanner — skip + } + } + } + return out; +} + +// --------------------------------------------------------------------------- +// applyLimitsTo helpers +// --------------------------------------------------------------------------- + +const LIMIT_TIER_EXTERNAL = 'external'; // input/runtime + persistent external maps +const LIMIT_TIER_BASE = 'base'; // DEFAULT_XML_ENTITIES + namedEntities (system) maps +const LIMIT_TIER_ALL = 'all'; // every entity regardless of tier + +/** + * Resolve `applyLimitsTo` option into a normalised Set of tier strings. + * Accepted values: 'external' | 'base' | 'all' | string[] + * Default: 'external' (only untrusted injected entities are counted). + * @param {string|string[]|undefined} raw + * @returns {Set} + */ +function parseLimitTiers(raw) { + if (!raw || raw === LIMIT_TIER_EXTERNAL) return new Set([LIMIT_TIER_EXTERNAL]); + if (raw === LIMIT_TIER_ALL) return new Set([LIMIT_TIER_ALL]); + if (raw === LIMIT_TIER_BASE) return new Set([LIMIT_TIER_BASE]); + if (Array.isArray(raw)) return new Set(raw); + return new Set([LIMIT_TIER_EXTERNAL]); // safe default for unrecognised values +} + +// --------------------------------------------------------------------------- +// NCR (Numeric Character Reference) classification +// --------------------------------------------------------------------------- + +// Severity order — higher number = stricter action. +// Used to enforce minimum action levels for specific codepoint ranges. +const NCR_LEVEL = Object.freeze({ allow: 0, leave: 1, remove: 2, throw: 3 }); + +// XML 1.0 §2.2: allowed chars are #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF] +// Restricted C0: U+0001–U+001F excluding U+0009, U+000A, U+000D +const XML10_ALLOWED_C0 = new Set([0x09, 0x0A, 0x0D]); + +/** + * Parse the `ncr` constructor option into flat, hot-path-friendly fields. + * @param {object|undefined} ncr + * @returns {{ xmlVersion: number, onLevel: number, nullLevel: number }} + */ +function parseNCRConfig(ncr) { + if (!ncr) { + return { xmlVersion: 1.0, onLevel: NCR_LEVEL.allow, nullLevel: NCR_LEVEL.remove }; + } + const xmlVersion = ncr.xmlVersion === 1.1 ? 1.1 : 1.0; + const onLevel = NCR_LEVEL[ncr.onNCR] ?? NCR_LEVEL.allow; + const nullLevel = NCR_LEVEL[ncr.nullNCR] ?? NCR_LEVEL.remove; + // 'allow' is not meaningful for null — clamp to at least 'remove' + const clampedNull = Math.max(nullLevel, NCR_LEVEL.remove); + return { xmlVersion, onLevel, nullLevel: clampedNull }; +} + +// --------------------------------------------------------------------------- +// EntityReplacer +// --------------------------------------------------------------------------- + +/** + * Single-pass, zero-regex entity replacer for XML/HTML content. + * + * Algorithm: scan the string once for '&', read to ';', resolve via map + * or direct codepoint conversion, build output chunks, join once at the end. + * + * Entity lookup priority (highest → lowest): + * 1. input / runtime (DOCTYPE entities for current document) + * 2. persistent external (survive across documents) + * 3. base named map (DEFAULT_XML_ENTITIES + user-supplied namedEntities) + * + * Both input and external resolve as the 'external' tier for limit purposes. + * Base map entities resolve as the 'base' tier. + * + * Numeric / hex references (&#NNN; / &#xHH;) are resolved directly via + * String.fromCodePoint() — no map needed. They count as 'base' tier. + * + * @example + * const replacer = new EntityReplacer({ namedEntities: COMMON_HTML }); + * replacer.setExternalEntities({ brand: 'Acme' }); + * + * const instance = replacer.reset(); + * instance.addInputEntities({ version: '1.0' }); + * instance.encode('&brand; v&version; <'); // 'Acme v1.0 <' + */ +class EntityDecoder { + /** + * @param {object} [options] + * @param {object|null} [options.namedEntities] — extra named entities merged into base map + * @param {object} [options.limit] — security limits + * @param {number} [options.limit.maxTotalExpansions=0] — 0 = unlimited + * @param {number} [options.limit.maxExpandedLength=0] — 0 = unlimited + * @param {'external'|'base'|'all'|string[]} [options.limit.applyLimitsTo='external'] + * Which entity tiers count against the security limits: + * - 'external' (default) — only input/runtime + persistent external entities + * - 'base' — only DEFAULT_XML_ENTITIES + namedEntities + * - 'all' — every entity regardless of tier + * - string[] — explicit combination, e.g. ['external', 'base'] + * @param {((resolved: string, original: string) => string)|null} [options.postCheck=null] + * @param {string[]} [options.remove=[]] — entity names (e.g. ['nbsp', '#13']) to delete (replace with empty string) + * @param {string[]} [options.leave=[]] — entity names to keep as literal (unchanged in output) + * @param {object} [options.ncr] — Numeric Character Reference controls + * @param {1.0|1.1} [options.ncr.xmlVersion=1.0] + * XML version governing which codepoint ranges are restricted: + * - 1.0 — C0 controls U+0001–U+001F (except U+0009/000A/000D) are prohibited + * - 1.1 — C0 controls are allowed when written as NCRs; C1 (U+007F–U+009F) decoded as-is + * @param {'allow'|'leave'|'remove'|'throw'} [options.ncr.onNCR='allow'] + * Base action for numeric references. Severity order: allow < leave < remove < throw. + * For codepoint ranges that carry a minimum level (surrogates → remove, XML 1.0 C0 → remove), + * the effective action is max(onNCR, rangeMinimum). + * @param {'remove'|'throw'} [options.ncr.nullNCR='remove'] + * Action for U+0000 (null). 'allow' and 'leave' are clamped to 'remove' since null is never safe. + */ + constructor(options = {}) { + this._limit = options.limit || {}; + this._maxTotalExpansions = this._limit.maxTotalExpansions || 0; + this._maxExpandedLength = this._limit.maxExpandedLength || 0; + this._postCheck = typeof options.postCheck === 'function' ? options.postCheck : r => r; + this._limitTiers = parseLimitTiers(this._limit.applyLimitsTo ?? LIMIT_TIER_EXTERNAL); + this._numericAllowed = options.numericAllowed ?? true; + // Base map: DEFAULT_XML_ENTITIES + user-supplied extras. Immutable after construction. + this._baseMap = mergeEntityMaps(XML, options.namedEntities || null); + + // Persistent external entities — survive across documents. + // Stored as a separate map so reset() never touches them. + /** @type {Record} */ + this._externalMap = Object.create(null); + + // Input / runtime entities — current document only, wiped on reset(). + /** @type {Record} */ + this._inputMap = Object.create(null); + + // Per-document counters + this._totalExpansions = 0; + this._expandedLength = 0; + + // --- New: remove / leave sets --- + /** @type {Set} */ + this._removeSet = new Set(options.remove && Array.isArray(options.remove) ? options.remove : []); + /** @type {Set} */ + this._leaveSet = new Set(options.leave && Array.isArray(options.leave) ? options.leave : []); + + // --- NCR config (parsed into flat fields for hot-path speed) --- + const ncrCfg = parseNCRConfig(options.ncr); + this._ncrXmlVersion = ncrCfg.xmlVersion; + this._ncrOnLevel = ncrCfg.onLevel; + this._ncrNullLevel = ncrCfg.nullLevel; + } + + // ------------------------------------------------------------------------- + // Persistent external entity registration + // ------------------------------------------------------------------------- + + /** + * Replace the full set of persistent external entities. + * All keys are validated — throws on invalid characters. + * @param {Record} map + */ + setExternalEntities(map) { + if (map) { + for (const key of Object.keys(map)) { + EntityDecoder_validateEntityName(key); + } + } + this._externalMap = mergeEntityMaps(map); + } + + /** + * Add a single persistent external entity. + * @param {string} key + * @param {string} value + */ + addExternalEntity(key, value) { + EntityDecoder_validateEntityName(key); + if (typeof value === 'string' && value.indexOf('&') === -1) { + this._externalMap[key] = value; + } + } + + // ------------------------------------------------------------------------- + // Input / runtime entity registration (per document) + // ------------------------------------------------------------------------- + + /** + * Inject DOCTYPE entities for the current document. + * Also resets per-document expansion counters. + * @param {Record} map + */ + addInputEntities(map) { + this._totalExpansions = 0; + this._expandedLength = 0; + this._inputMap = mergeEntityMaps(map); + } + + // ------------------------------------------------------------------------- + // Per-document reset + // ------------------------------------------------------------------------- + + /** + * Wipe input/runtime entities and reset counters. + * Call this before processing each new document. + * @returns {this} + */ + reset() { + this._inputMap = Object.create(null); + this._totalExpansions = 0; + this._expandedLength = 0; + return this; + } + + // ------------------------------------------------------------------------- + // XML version (can be set after construction, e.g. once parser reads ) + // ------------------------------------------------------------------------- + + /** + * Update the XML version used for NCR classification. + * Call this as soon as the document's `` declaration is parsed. + * @param {1.0|1.1|number} version + */ + setXmlVersion(version) { + this._ncrXmlVersion = version === 1.1 ? 1.1 : 1.0; + } + + // ------------------------------------------------------------------------- + // Primary API + // ------------------------------------------------------------------------- + + /** + * Replace all entity references in `str` in a single pass. + * + * @param {string} str + * @returns {string} + */ + decode(str) { + if (typeof str !== 'string' || str.length === 0) return str; + //TODO: check if needed + //if (str.indexOf('&') === -1) return str; // fast path — no entities at all + + const original = str; + const chunks = []; + const len = str.length; + let last = 0; // start of next unprocessed literal chunk + let i = 0; + + const limitExpansions = this._maxTotalExpansions > 0; + const limitLength = this._maxExpandedLength > 0; + const checkLimits = limitExpansions || limitLength; + + while (i < len) { + // Scan forward to next '&' + if (str.charCodeAt(i) !== 38 /* '&' */) { i++; continue; } + + // --- Found '&' at position i --- + + // Scan forward to ';' + let j = i + 1; + while (j < len && str.charCodeAt(j) !== 59 /* ';' */ && (j - i) <= 32) j++; + + if (j >= len || str.charCodeAt(j) !== 59) { + // No closing ';' within window — treat '&' as literal + i++; + continue; + } + + // Raw token between '&' and ';' (exclusive) + const token = str.slice(i + 1, j); + if (token.length === 0) { i++; continue; } + + let replacement; + let tier; // which limit tier this entity belongs to + + if (this._removeSet.has(token)) { + // Remove entity: replace with empty string + replacement = ''; + // If entity was unknown (replacement undefined), we still need a tier for limits. + // Treat as external tier because it's user-directed removal of an unknown reference. + if (tier === undefined) { + tier = LIMIT_TIER_EXTERNAL; + } + } else if (this._leaveSet.has(token)) { + // Do not replace — keep original &token; as literal + i++; + continue; + } else if (token.charCodeAt(0) === 35 /* '#' */) { + // ---- Numeric / NCR reference ---- + // NCR classification always runs first — prohibited codepoints must be + // caught regardless of numericAllowed. + const ncrResult = this._resolveNCR(token); + if (ncrResult === undefined) { + // 'leave' action — keep original &token; as-is + i++; + continue; + } + replacement = ncrResult; // '' for remove, char string for allow + tier = LIMIT_TIER_BASE; + } else { + // ---- Named reference ---- + const resolved = this._resolveName(token); + replacement = resolved?.value; + tier = resolved?.tier; + } + + if (replacement === undefined) { + // Unknown entity — leave as-is, advance past '&' only + i++; + continue; + } + + // Flush literal chunk before this entity + if (i > last) chunks.push(str.slice(last, i)); + chunks.push(replacement); + last = j + 1; // skip past ';' + i = last; + + // Apply expansion limits only if this tier is being tracked + if (checkLimits && this._tierCounts(tier)) { + if (limitExpansions) { + this._totalExpansions++; + if (this._totalExpansions > this._maxTotalExpansions) { + throw new Error( + `[EntityReplacer] Entity expansion count limit exceeded: ` + + `${this._totalExpansions} > ${this._maxTotalExpansions}` + ); + } + } + if (limitLength) { + // delta: replacement.length minus the raw &token; length (token.length + 2 for '&' and ';') + const delta = replacement.length - (token.length + 2); + if (delta > 0) { + this._expandedLength += delta; + if (this._expandedLength > this._maxExpandedLength) { + throw new Error( + `[EntityReplacer] Expanded content length limit exceeded: ` + + `${this._expandedLength} > ${this._maxExpandedLength}` + ); + } + } + } + } + } + + // Flush trailing literal + if (last < len) chunks.push(str.slice(last)); + + // If nothing was replaced, chunks is empty — return original + const result = chunks.length === 0 ? str : chunks.join(''); + + return this._postCheck(result, original); + } + + // ------------------------------------------------------------------------- + // Private: limit tier check + // ------------------------------------------------------------------------- + + /** + * Returns true if a resolved entity of the given tier should count + * against the expansion/length limits. + * @param {string} tier — LIMIT_TIER_EXTERNAL | LIMIT_TIER_BASE + * @returns {boolean} + */ + _tierCounts(tier) { + if (this._limitTiers.has(LIMIT_TIER_ALL)) return true; + return this._limitTiers.has(tier); + } + + // ------------------------------------------------------------------------- + // Private: entity resolution + // ------------------------------------------------------------------------- + + /** + * Resolve a named entity token (without & and ;). + * Priority: inputMap > externalMap > baseMap + * Returns the resolved value tagged with its limit tier. + * + * @param {string} name + * @returns {{ value: string, tier: string }|undefined} + */ + _resolveName(name) { + // input and external both count as 'external' tier for limit purposes — + // they are injected at runtime and are the untrusted surface. + if (name in this._inputMap) return { value: this._inputMap[name], tier: LIMIT_TIER_EXTERNAL }; + if (name in this._externalMap) return { value: this._externalMap[name], tier: LIMIT_TIER_EXTERNAL }; + if (name in this._baseMap) return { value: this._baseMap[name], tier: LIMIT_TIER_BASE }; + return undefined; + } + + /** + * Classify a codepoint and return the minimum action level that must be applied. + * Returns -1 when no minimum is imposed (normal allow path). + * + * Ranges checked (in priority order): + * 1. U+0000 — null, governed by nullNCR (always ≥ remove) + * 2. U+D800–U+DFFF — surrogates, always prohibited (min: remove) + * 3. U+0001–U+001F \ {0x09,0x0A,0x0D} — XML 1.0 restricted C0 (min: remove) + * (skipped in XML 1.1 — C0 controls are allowed when written as NCRs) + * + * @param {number} cp — codepoint + * @returns {number} — minimum NCR_LEVEL value, or -1 for no restriction + */ + _classifyNCR(cp) { + // 1. Null + if (cp === 0) return this._ncrNullLevel; + + // 2. Surrogates — always prohibited, minimum 'remove' + if (cp >= 0xD800 && cp <= 0xDFFF) return NCR_LEVEL.remove; + + // 3. XML 1.0 restricted C0 controls + if (this._ncrXmlVersion === 1.0) { + if (cp >= 0x01 && cp <= 0x1F && !XML10_ALLOWED_C0.has(cp)) return NCR_LEVEL.remove; + } + + return -1; // no restriction + } + + /** + * Execute a resolved NCR action. + * + * @param {number} action — NCR_LEVEL value + * @param {string} token — raw token (e.g. '#38') for error messages + * @param {number} cp — codepoint, used only for error messages + * @returns {string|undefined} + * - decoded character string → 'allow' + * - '' → 'remove' + * - undefined → 'leave' (caller must skip past '&' only) + * - throws Error → 'throw' + */ + _applyNCRAction(action, token, cp) { + switch (action) { + case NCR_LEVEL.allow: return String.fromCodePoint(cp); + case NCR_LEVEL.remove: return ''; + case NCR_LEVEL.leave: return undefined; // signal: keep literal + case NCR_LEVEL.throw: + throw new Error( + `[EntityDecoder] Prohibited numeric character reference ` + + `&${token}; (U+${cp.toString(16).toUpperCase().padStart(4, '0')})` + ); + default: return String.fromCodePoint(cp); + } + } + + /** + * Full NCR resolution pipeline for a numeric token. + * + * Steps: + * 1. Parse the codepoint (decimal or hex). + * 2. Validate the raw codepoint range (NaN, <0, >0x10FFFF). + * 3. If numericAllowed is false and no minimum restriction applies → leave as-is. + * 4. Classify the codepoint to find the minimum required action level. + * 5. Resolve effective action = max(onNCR, minimum). + * 6. Apply and return. + * + * @param {string} token — e.g. '#38', '#x26', '#X26' + * @returns {string|undefined} + * - string (incl. '') — replacement ('' = remove) + * - undefined — leave original &token; as-is + */ + _resolveNCR(token) { + // Step 1: parse codepoint + const second = token.charCodeAt(1); + let cp; + if (second === 120 /* x */ || second === 88 /* X */) { + cp = parseInt(token.slice(2), 16); + } else { + cp = parseInt(token.slice(1), 10); + } + + // Step 2: out-of-range → leave as-is unconditionally + if (Number.isNaN(cp) || cp < 0 || cp > 0x10FFFF) return undefined; + + // Step 3: classify to get minimum action level + const minimum = this._classifyNCR(cp); + + // Step 4: if numericAllowed is false and no hard minimum → leave + if (!this._numericAllowed && minimum < NCR_LEVEL.remove) return undefined; + + // Step 5: effective action = max(configured onNCR, range minimum) + const effective = minimum === -1 + ? this._ncrOnLevel + : Math.max(this._ncrOnLevel, minimum); + + // Step 6: apply + return this._applyNCRAction(effective, token, cp); + } +} ;// CONCATENATED MODULE: ./node_modules/fast-xml-parser/src/xmlparser/OrderedObjParser.js ///@ts-check @@ -217137,6 +219167,8 @@ function ignoreAttributes_getIgnoreAttributesFn(ignoreAttributes) { + + // const regx = // '<((!\\[CDATA\\[([\\s\\S]*?)(]]>))|((NAME:)?(NAME))([^>]*)>|((\\/)(NAME)\\s*>))([^<]*)' // .replace(/NAME/g, util.nameRegexp); @@ -217196,36 +219228,10 @@ function extractNamespace(rawTagName) { } class OrderedObjParser { - constructor(options) { + constructor(options, externalEntities) { this.options = options; this.currentNode = null; this.tagsNodeStack = []; - this.docTypeEntities = {}; - this.lastEntities = { - "apos": { regex: /&(apos|#39|#x27);/g, val: "'" }, - "gt": { regex: /&(gt|#62|#x3E);/g, val: ">" }, - "lt": { regex: /&(lt|#60|#x3C);/g, val: "<" }, - "quot": { regex: /&(quot|#34|#x22);/g, val: "\"" }, - }; - this.ampEntity = { regex: /&(amp|#38|#x26);/g, val: "&" }; - this.htmlEntities = { - "space": { regex: /&(nbsp|#160);/g, val: " " }, - // "lt" : { regex: /&(lt|#60);/g, val: "<" }, - // "gt" : { regex: /&(gt|#62);/g, val: ">" }, - // "amp" : { regex: /&(amp|#38);/g, val: "&" }, - // "quot" : { regex: /&(quot|#34);/g, val: "\"" }, - // "apos" : { regex: /&(apos|#39);/g, val: "'" }, - "cent": { regex: /&(cent|#162);/g, val: "¢" }, - "pound": { regex: /&(pound|#163);/g, val: "£" }, - "yen": { regex: /&(yen|#165);/g, val: "¥" }, - "euro": { regex: /&(euro|#8364);/g, val: "€" }, - "copyright": { regex: /&(copy|#169);/g, val: "©" }, - "reg": { regex: /&(reg|#174);/g, val: "®" }, - "inr": { regex: /&(inr|#8377);/g, val: "₹" }, - "num_dec": { regex: /&#([0-9]{1,7});/g, val: (_, str) => fromCodePoint(str, 10, "&#") }, - "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val: (_, str) => fromCodePoint(str, 16, "&#x") }, - }; - this.addExternalEntities = addExternalEntities; this.parseXml = parseXml; this.parseTextData = parseTextData; this.resolveNameSpace = resolveNameSpace; @@ -217238,6 +219244,23 @@ class OrderedObjParser { this.ignoreAttributesFn = ignoreAttributes_getIgnoreAttributesFn(this.options.ignoreAttributes) this.entityExpansionCount = 0; this.currentExpandedLength = 0; + let namedEntities = { ...XML }; + if (this.options.entityDecoder) { + this.entityDecoder = this.options.entityDecoder + } else { + if (typeof this.options.htmlEntities === "object") namedEntities = this.options.htmlEntities; + else if (this.options.htmlEntities === true) namedEntities = { ...COMMON_HTML, ...CURRENCY }; + this.entityDecoder = new EntityDecoder({ + namedEntities: { ...namedEntities, ...externalEntities }, + numericAllowed: this.options.htmlEntities, + limit: { + maxTotalExpansions: this.options.processEntities.maxTotalExpansions, + maxExpandedLength: this.options.processEntities.maxExpandedLength, + applyLimitsTo: this.options.processEntities.appliesTo, + } + //postCheck: resolved => resolved + }); + } // Initialize path matcher for path-expression-matcher this.matcher = new Matcher(); @@ -217250,34 +219273,25 @@ class OrderedObjParser { this.isCurrentNodeStopNode = false; // Pre-compile stopNodes expressions - if (this.options.stopNodes && this.options.stopNodes.length > 0) { - this.stopNodeExpressions = []; - for (let i = 0; i < this.options.stopNodes.length; i++) { - const stopNodeExp = this.options.stopNodes[i]; + this.stopNodeExpressionsSet = new ExpressionSet(); + const stopNodesOpts = this.options.stopNodes; + if (stopNodesOpts && stopNodesOpts.length > 0) { + for (let i = 0; i < stopNodesOpts.length; i++) { + const stopNodeExp = stopNodesOpts[i]; if (typeof stopNodeExp === 'string') { // Convert string to Expression object - this.stopNodeExpressions.push(new Expression(stopNodeExp)); + this.stopNodeExpressionsSet.add(new Expression(stopNodeExp)); } else if (stopNodeExp instanceof Expression) { // Already an Expression object - this.stopNodeExpressions.push(stopNodeExp); + this.stopNodeExpressionsSet.add(stopNodeExp); } } + this.stopNodeExpressionsSet.seal(); } } } -function addExternalEntities(externalEntities) { - const entKeys = Object.keys(externalEntities); - for (let i = 0; i < entKeys.length; i++) { - const ent = entKeys[i]; - const escaped = ent.replace(/[.\-+*:]/g, '\\.'); - this.lastEntities[ent] = { - regex: new RegExp("&" + escaped + ";", "g"), - val: externalEntities[ent] - } - } -} /** * @param {string} val @@ -217289,28 +219303,29 @@ function addExternalEntities(externalEntities) { * @param {boolean} escapeEntities */ function parseTextData(val, tagName, jPath, dontTrim, hasAttributes, isLeafNode, escapeEntities) { + const options = this.options; if (val !== undefined) { - if (this.options.trimValues && !dontTrim) { + if (options.trimValues && !dontTrim) { val = val.trim(); } if (val.length > 0) { if (!escapeEntities) val = this.replaceEntitiesValue(val, tagName, jPath); // Pass jPath string or matcher based on options.jPath setting - const jPathOrMatcher = this.options.jPath ? jPath.toString() : jPath; - const newval = this.options.tagValueProcessor(tagName, val, jPathOrMatcher, hasAttributes, isLeafNode); + const jPathOrMatcher = options.jPath ? jPath.toString() : jPath; + const newval = options.tagValueProcessor(tagName, val, jPathOrMatcher, hasAttributes, isLeafNode); if (newval === null || newval === undefined) { //don't parse return val; } else if (typeof newval !== typeof val || newval !== val) { //overwrite return newval; - } else if (this.options.trimValues) { - return OrderedObjParser_parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + } else if (options.trimValues) { + return OrderedObjParser_parseValue(val, options.parseTagValue, options.numberParseOptions); } else { const trimmedVal = val.trim(); if (trimmedVal === val) { - return OrderedObjParser_parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + return OrderedObjParser_parseValue(val, options.parseTagValue, options.numberParseOptions); } else { return val; } @@ -217337,8 +219352,9 @@ function resolveNameSpace(tagname) { //const attrsRegx = new RegExp("([\\w\\-\\.\\:]+)\\s*=\\s*(['\"])((.|\n)*?)\\2","gm"); const attrsRegx = new RegExp('([^\\s=]+)\\s*(=\\s*([\'"])([\\s\\S]*?)\\3)?', 'gm'); -function buildAttributesMap(attrStr, jPath, tagName) { - if (this.options.ignoreAttributes !== true && typeof attrStr === 'string') { +function buildAttributesMap(attrStr, jPath, tagName, force = false) { + const options = this.options; + if (force === true || (options.ignoreAttributes !== true && typeof attrStr === 'string')) { // attrStr = attrStr.replace(/\r?\n/g, ' '); //attrStr = attrStr || attrStr.trim(); @@ -217346,89 +219362,80 @@ function buildAttributesMap(attrStr, jPath, tagName) { const len = matches.length; //don't make it inline const attrs = {}; - // First pass: parse all attributes and update matcher with raw values - // This ensures the matcher has all attribute values when processors run + // Pre-process values once: trim + entity replacement + // Reused in both matcher update and second pass + const processedVals = new Array(len); + let hasRawAttrs = false; const rawAttrsForMatcher = {}; + for (let i = 0; i < len; i++) { const attrName = this.resolveNameSpace(matches[i][1]); const oldVal = matches[i][4]; if (attrName.length && oldVal !== undefined) { - let parsedVal = oldVal; - if (this.options.trimValues) { - parsedVal = parsedVal.trim(); - } - parsedVal = this.replaceEntitiesValue(parsedVal, tagName, this.readonlyMatcher); - rawAttrsForMatcher[attrName] = parsedVal; + let val = oldVal; + if (options.trimValues) val = val.trim(); + val = this.replaceEntitiesValue(val, tagName, this.readonlyMatcher); + processedVals[i] = val; + + rawAttrsForMatcher[attrName] = val; + hasRawAttrs = true; } } - // Update matcher with raw attribute values BEFORE running processors - if (Object.keys(rawAttrsForMatcher).length > 0 && typeof jPath === 'object' && jPath.updateCurrent) { + // Update matcher ONCE before second pass, if applicable + if (hasRawAttrs && typeof jPath === 'object' && jPath.updateCurrent) { jPath.updateCurrent(rawAttrsForMatcher); } - // Second pass: now process attributes with matcher having full attribute context + // Hoist toString() once — path doesn't change during attribute processing + const jPathStr = options.jPath ? jPath.toString() : this.readonlyMatcher; + + // Second pass: apply processors, build final attrs + let hasAttrs = false; for (let i = 0; i < len; i++) { const attrName = this.resolveNameSpace(matches[i][1]); - // Convert jPath to string if needed for ignoreAttributesFn - const jPathStr = this.options.jPath ? jPath.toString() : this.readonlyMatcher; - if (this.ignoreAttributesFn(attrName, jPathStr)) { - continue - } + if (this.ignoreAttributesFn(attrName, jPathStr)) continue; - let oldVal = matches[i][4]; - let aName = this.options.attributeNamePrefix + attrName; + let aName = options.attributeNamePrefix + attrName; if (attrName.length) { - if (this.options.transformAttributeName) { - aName = this.options.transformAttributeName(aName); + if (options.transformAttributeName) { + aName = options.transformAttributeName(aName); } - //if (aName === "__proto__") aName = "#__proto__"; - aName = sanitizeName(aName, this.options); + aName = sanitizeName(aName, options); - if (oldVal !== undefined) { - if (this.options.trimValues) { - oldVal = oldVal.trim(); - } - oldVal = this.replaceEntitiesValue(oldVal, tagName, this.readonlyMatcher); + if (matches[i][4] !== undefined) { + // Reuse already-processed value — no double entity replacement + const oldVal = processedVals[i]; - // Pass jPath string or readonlyMatcher based on options.jPath setting - const jPathOrMatcher = this.options.jPath ? jPath.toString() : this.readonlyMatcher; - const newVal = this.options.attributeValueProcessor(attrName, oldVal, jPathOrMatcher); + const newVal = options.attributeValueProcessor(attrName, oldVal, jPathStr); if (newVal === null || newVal === undefined) { - //don't parse attrs[aName] = oldVal; } else if (typeof newVal !== typeof oldVal || newVal !== oldVal) { - //overwrite attrs[aName] = newVal; } else { - //parse - attrs[aName] = OrderedObjParser_parseValue( - oldVal, - this.options.parseAttributeValue, - this.options.numberParseOptions - ); + attrs[aName] = OrderedObjParser_parseValue(oldVal, options.parseAttributeValue, options.numberParseOptions); } - } else if (this.options.allowBooleanAttributes) { + hasAttrs = true; + } else if (options.allowBooleanAttributes) { attrs[aName] = true; + hasAttrs = true; } } } - if (!Object.keys(attrs).length) { - return; - } - if (this.options.attributesGroupName) { + if (!hasAttrs) return; + + if (options.attributesGroupName && !options.preserveOrder) { const attrCollection = {}; - attrCollection[this.options.attributesGroupName] = attrs; + attrCollection[options.attributesGroupName] = attrs; return attrCollection; } - return attrs + return attrs; } } - const parseXml = function (xmlData) { xmlData = xmlData.replace(/\r\n?/g, "\n"); //TODO: remove this line const xmlObj = new XmlNode('!xml'); @@ -217437,29 +219444,32 @@ const parseXml = function (xmlData) { // Reset matcher for new document this.matcher.reset(); + this.entityDecoder.reset(); // Reset entity expansion counters for this document this.entityExpansionCount = 0; this.currentExpandedLength = 0; - - const docTypeReader = new DocTypeReader(this.options.processEntities); - for (let i = 0; i < xmlData.length; i++) {//for each char in XML data + const options = this.options; + const docTypeReader = new DocTypeReader(options.processEntities); + const xmlLen = xmlData.length; + for (let i = 0; i < xmlLen; i++) {//for each char in XML data const ch = xmlData[i]; if (ch === '<') { // const nextIndex = i+1; // const _2ndChar = xmlData[nextIndex]; - if (xmlData[i + 1] === '/') {//Closing Tag + const c1 = xmlData.charCodeAt(i + 1); + if (c1 === 47) {//Closing Tag '/' const closeIndex = findClosingIndex(xmlData, ">", i, "Closing Tag is not closed.") let tagName = xmlData.substring(i + 2, closeIndex).trim(); - if (this.options.removeNSPrefix) { + if (options.removeNSPrefix) { const colonIndex = tagName.indexOf(":"); if (colonIndex !== -1) { tagName = tagName.substr(colonIndex + 1); } } - tagName = transformTagName(this.options.transformTagName, tagName, "", this.options).tagName; + tagName = transformTagName(options.transformTagName, tagName, "", options).tagName; if (currentNode) { textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); @@ -217467,10 +219477,10 @@ const parseXml = function (xmlData) { //check if last tag of nested tag was unpaired tag const lastTagName = this.matcher.getCurrentTag(); - if (tagName && this.options.unpairedTags.indexOf(tagName) !== -1) { + if (tagName && options.unpairedTagsSet.has(tagName)) { throw new Error(`Unpaired tag can not be used as closing tag: `); } - if (lastTagName && this.options.unpairedTags.indexOf(lastTagName) !== -1) { + if (lastTagName && options.unpairedTagsSet.has(lastTagName)) { // Pop the unpaired tag this.matcher.pop(); this.tagsNodeStack.pop(); @@ -217482,42 +219492,51 @@ const parseXml = function (xmlData) { currentNode = this.tagsNodeStack.pop();//avoid recursion, set the parent tag scope textData = ""; i = closeIndex; - } else if (xmlData[i + 1] === '?') { + } else if (c1 === 63) { //'?' let tagData = readTagExp(xmlData, i, false, "?>"); if (!tagData) throw new Error("Pi Tag is not closed."); textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); - if ((this.options.ignoreDeclaration && tagData.tagName === "?xml") || this.options.ignorePiTags) { + const attsMap = this.buildAttributesMap(tagData.tagExp, this.matcher, tagData.tagName, true); + if (attsMap) { + const ver = attsMap[this.options.attributeNamePrefix + "version"]; + this.entityDecoder.setXmlVersion(Number(ver) || 1.0); + } + if ((options.ignoreDeclaration && tagData.tagName === "?xml") || options.ignorePiTags) { //do nothing } else { const childNode = new XmlNode(tagData.tagName); - childNode.add(this.options.textNodeName, ""); + childNode.add(options.textNodeName, ""); - if (tagData.tagName !== tagData.tagExp && tagData.attrExpPresent) { - childNode[":@"] = this.buildAttributesMap(tagData.tagExp, this.matcher, tagData.tagName); + if (tagData.tagName !== tagData.tagExp && tagData.attrExpPresent && options.ignoreAttributes !== true) { + childNode[":@"] = attsMap } this.addChild(currentNode, childNode, this.readonlyMatcher, i); } i = tagData.closeIndex + 1; - } else if (xmlData.substr(i + 1, 3) === '!--') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 45 + && xmlData.charCodeAt(i + 3) === 45) { //'!--' const endIndex = findClosingIndex(xmlData, "-->", i + 4, "Comment is not closed.") - if (this.options.commentPropName) { + if (options.commentPropName) { const comment = xmlData.substring(i + 4, endIndex - 2); textData = this.saveTextToParentTag(textData, currentNode, this.readonlyMatcher); - currentNode.add(this.options.commentPropName, [{ [this.options.textNodeName]: comment }]); + currentNode.add(options.commentPropName, [{ [options.textNodeName]: comment }]); } i = endIndex; - } else if (xmlData.substr(i + 1, 2) === '!D') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 68) { //'!D' const result = docTypeReader.readDocType(xmlData, i); - this.docTypeEntities = result.entities; + this.entityDecoder.addInputEntities(result.entities); i = result.i; - } else if (xmlData.substr(i + 1, 2) === '![') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 91) { // '![' const closeIndex = findClosingIndex(xmlData, "]]>", i, "CDATA is not closed.") - 2; const tagExp = xmlData.substring(i + 9, closeIndex); @@ -217527,20 +219546,20 @@ const parseXml = function (xmlData) { if (val == undefined) val = ""; //cdata should be set even if it is 0 length string - if (this.options.cdataPropName) { - currentNode.add(this.options.cdataPropName, [{ [this.options.textNodeName]: tagExp }]); + if (options.cdataPropName) { + currentNode.add(options.cdataPropName, [{ [options.textNodeName]: tagExp }]); } else { - currentNode.add(this.options.textNodeName, val); + currentNode.add(options.textNodeName, val); } i = closeIndex + 2; } else {//Opening tag - let result = readTagExp(xmlData, i, this.options.removeNSPrefix); + let result = readTagExp(xmlData, i, options.removeNSPrefix); // Safety check: readTagExp can return undefined if (!result) { // Log context for debugging - const context = xmlData.substring(Math.max(0, i - 50), Math.min(xmlData.length, i + 50)); + const context = xmlData.substring(Math.max(0, i - 50), Math.min(xmlLen, i + 50)); throw new Error(`readTagExp returned undefined at position ${i}. Context: "${context}"`); } @@ -217550,13 +219569,13 @@ const parseXml = function (xmlData) { let attrExpPresent = result.attrExpPresent; let closeIndex = result.closeIndex; - ({ tagName, tagExp } = transformTagName(this.options.transformTagName, tagName, tagExp, this.options)); + ({ tagName, tagExp } = transformTagName(options.transformTagName, tagName, tagExp, options)); - if (this.options.strictReservedNames && - (tagName === this.options.commentPropName - || tagName === this.options.cdataPropName - || tagName === this.options.textNodeName - || tagName === this.options.attributesGroupName + if (options.strictReservedNames && + (tagName === options.commentPropName + || tagName === options.cdataPropName + || tagName === options.textNodeName + || tagName === options.attributesGroupName )) { throw new Error(`Invalid tag name: ${tagName}`); } @@ -217571,7 +219590,7 @@ const parseXml = function (xmlData) { //check if last tag was unpaired tag const lastTag = currentNode; - if (lastTag && this.options.unpairedTags.indexOf(lastTag.tagname) !== -1) { + if (lastTag && options.unpairedTagsSet.has(lastTag.tagname)) { currentNode = this.tagsNodeStack.pop(); this.matcher.pop(); } @@ -217613,13 +219632,14 @@ const parseXml = function (xmlData) { if (prefixedAttrs) { // Extract raw attributes (without prefix) for our use - rawAttrs = extractRawAttributes(prefixedAttrs, this.options); + //TODO: seems a performance overhead + rawAttrs = extractRawAttributes(prefixedAttrs, options); } } // Now check if this is a stop node (after attributes are set) if (tagName !== xmlObj.tagname) { - this.isCurrentNodeStopNode = this.isItStopNode(this.stopNodeExpressions, this.matcher); + this.isCurrentNodeStopNode = this.isItStopNode(); } const startIndex = i; @@ -217631,7 +219651,7 @@ const parseXml = function (xmlData) { i = result.closeIndex; } //unpaired tag - else if (this.options.unpairedTags.indexOf(tagName) !== -1) { + else if (options.unpairedTagsSet.has(tagName)) { i = result.closeIndex; } //normal tag @@ -217650,7 +219670,7 @@ const parseXml = function (xmlData) { } // For stop nodes, store raw content as-is without any processing - childNode.add(this.options.textNodeName, tagContent); + childNode.add(options.textNodeName, tagContent); this.matcher.pop(); // Pop the stop node tag this.isCurrentNodeStopNode = false; // Reset flag @@ -217659,7 +219679,7 @@ const parseXml = function (xmlData) { } else { //selfClosing tag if (isSelfClosing) { - ({ tagName, tagExp } = transformTagName(this.options.transformTagName, tagName, tagExp, this.options)); + ({ tagName, tagExp } = transformTagName(options.transformTagName, tagName, tagExp, options)); const childNode = new XmlNode(tagName); if (prefixedAttrs) { @@ -217669,7 +219689,7 @@ const parseXml = function (xmlData) { this.matcher.pop(); // Pop self-closing tag this.isCurrentNodeStopNode = false; // Reset flag } - else if (this.options.unpairedTags.indexOf(tagName) !== -1) {//unpaired tag + else if (options.unpairedTagsSet.has(tagName)) {//unpaired tag const childNode = new XmlNode(tagName); if (prefixedAttrs) { childNode[":@"] = prefixedAttrs; @@ -217684,7 +219704,7 @@ const parseXml = function (xmlData) { //opening tag else { const childNode = new XmlNode(tagName); - if (this.tagsNodeStack.length > this.options.maxNestedTags) { + if (this.tagsNodeStack.length > options.maxNestedTags) { throw new Error("Maximum nested tags exceeded"); } this.tagsNodeStack.push(currentNode); @@ -217755,79 +219775,7 @@ function OrderedObjParser_replaceEntitiesValue(val, tagName, jPath) { } } - // Replace DOCTYPE entities - for (const entityName of Object.keys(this.docTypeEntities)) { - const entity = this.docTypeEntities[entityName]; - const matches = val.match(entity.regx); - - if (matches) { - // Track expansions - this.entityExpansionCount += matches.length; - - // Check expansion limit - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - - // Store length before replacement - const lengthBefore = val.length; - val = val.replace(entity.regx, entity.val); - - // Check expanded length immediately after replacement - if (entityConfig.maxExpandedLength) { - this.currentExpandedLength += (val.length - lengthBefore); - - if (this.currentExpandedLength > entityConfig.maxExpandedLength) { - throw new Error( - `Total expanded content size exceeded: ${this.currentExpandedLength} > ${entityConfig.maxExpandedLength}` - ); - } - } - } - } - // Replace standard entities - for (const entityName of Object.keys(this.lastEntities)) { - const entity = this.lastEntities[entityName]; - const matches = val.match(entity.regex); - if (matches) { - this.entityExpansionCount += matches.length; - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - } - val = val.replace(entity.regex, entity.val); - } - if (val.indexOf('&') === -1) return val; - - // Replace HTML entities if enabled - if (this.options.htmlEntities) { - for (const entityName of Object.keys(this.htmlEntities)) { - const entity = this.htmlEntities[entityName]; - const matches = val.match(entity.regex); - if (matches) { - //console.log(matches); - this.entityExpansionCount += matches.length; - if (entityConfig.maxTotalExpansions && - this.entityExpansionCount > entityConfig.maxTotalExpansions) { - throw new Error( - `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}` - ); - } - } - val = val.replace(entity.regex, entity.val); - } - } - - // Replace ampersand entity last - val = val.replace(this.ampEntity.regex, this.ampEntity.val); - - return val; + return this.entityDecoder.decode(val); } @@ -217849,20 +219797,14 @@ function saveTextToParentTag(textData, parentNode, matcher, isLeafNode) { return textData; } -//TODO: use jPath to simplify the logic /** * @param {Array} stopNodeExpressions - Array of compiled Expression objects * @param {Matcher} matcher - Current path matcher */ -function isItStopNode(stopNodeExpressions, matcher) { - if (!stopNodeExpressions || stopNodeExpressions.length === 0) return false; +function isItStopNode() { + if (this.stopNodeExpressionsSet.size === 0) return false; - for (let i = 0; i < stopNodeExpressions.length; i++) { - if (matcher.matches(stopNodeExpressions[i])) { - return true; - } - } - return false; + return this.matcher.matchesAny(this.stopNodeExpressionsSet); } /** @@ -217872,32 +219814,38 @@ function isItStopNode(stopNodeExpressions, matcher) { * @returns */ function tagExpWithClosingIndex(xmlData, i, closingChar = ">") { - let attrBoundary; - let tagExp = ""; - for (let index = i; index < xmlData.length; index++) { - let ch = xmlData[index]; + //TODO: ignore boolean attributes in tag expression + //TODO: if ignore attributes, dont read full attribute expression but the end. But read for xml declaration + let attrBoundary = 0; + const len = xmlData.length; + const closeCode0 = closingChar.charCodeAt(0); + const closeCode1 = closingChar.length > 1 ? closingChar.charCodeAt(1) : -1; + + let result = ''; + let segmentStart = i; + + for (let index = i; index < len; index++) { + const code = xmlData.charCodeAt(index); + if (attrBoundary) { - if (ch === attrBoundary) attrBoundary = "";//reset - } else if (ch === '"' || ch === "'") { - attrBoundary = ch; - } else if (ch === closingChar[0]) { - if (closingChar[1]) { - if (xmlData[index + 1] === closingChar[1]) { - return { - data: tagExp, - index: index - } + if (code === attrBoundary) attrBoundary = 0; + } else if (code === 34 || code === 39) { // " or ' + attrBoundary = code; + } else if (code === closeCode0) { + if (closeCode1 !== -1) { + if (xmlData.charCodeAt(index + 1) === closeCode1) { + result += xmlData.substring(segmentStart, index); + return { data: result, index }; } } else { - return { - data: tagExp, - index: index - } + result += xmlData.substring(segmentStart, index); + return { data: result, index }; } - } else if (ch === '\t') { - ch = " " + } else if (code === 9 && !attrBoundary) { // \t - only replace with space outside attribute values + // Flush accumulated segment, add space, start new segment + result += xmlData.substring(segmentStart, index) + ' '; + segmentStart = index + 1; } - tagExp += ch; } } @@ -217910,6 +219858,12 @@ function findClosingIndex(xmlData, str, i, errMsg) { } } +function findClosingChar(xmlData, char, i, errMsg) { + const closingIndex = xmlData.indexOf(char, i); + if (closingIndex === -1) throw new Error(errMsg); + return closingIndex; // no offset needed +} + function readTagExp(xmlData, i, removeNSPrefix, closingChar = ">") { const result = tagExpWithClosingIndex(xmlData, i + 1, closingChar); if (!result) return; @@ -217951,10 +219905,12 @@ function readStopNodeData(xmlData, tagName, i) { // Starting at 1 since we already have an open tag let openTagCount = 1; - for (; i < xmlData.length; i++) { + const xmllen = xmlData.length; + for (; i < xmllen; i++) { if (xmlData[i] === "<") { - if (xmlData[i + 1] === "/") {//close tag - const closeIndex = findClosingIndex(xmlData, ">", i, `${tagName} is not closed`); + const c1 = xmlData.charCodeAt(i + 1); + if (c1 === 47) {//close tag '/' + const closeIndex = findClosingChar(xmlData, ">", i, `${tagName} is not closed`); let closeTagName = xmlData.substring(i + 2, closeIndex).trim(); if (closeTagName === tagName) { openTagCount--; @@ -217966,13 +219922,16 @@ function readStopNodeData(xmlData, tagName, i) { } } i = closeIndex; - } else if (xmlData[i + 1] === '?') { + } else if (c1 === 63) { //? const closeIndex = findClosingIndex(xmlData, "?>", i + 1, "StopNode is not closed.") i = closeIndex; - } else if (xmlData.substr(i + 1, 3) === '!--') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 45 + && xmlData.charCodeAt(i + 3) === 45) { // '!--' const closeIndex = findClosingIndex(xmlData, "-->", i + 3, "StopNode is not closed.") i = closeIndex; - } else if (xmlData.substr(i + 1, 2) === '![') { + } else if (c1 === 33 + && xmlData.charCodeAt(i + 2) === 91) { // '![' const closeIndex = findClosingIndex(xmlData, "]]>", i, "StopNode is not closed.") - 2; i = closeIndex; } else { @@ -218246,8 +220205,8 @@ class XMLParser { throw Error(`${result.err.msg}:${result.err.line}:${result.err.col}`) } } - const orderedObjParser = new OrderedObjParser(this.options); - orderedObjParser.addExternalEntities(this.externalEntities); + const orderedObjParser = new OrderedObjParser(this.options, this.externalEntities); + // orderedObjParser.entityDecoder.setExternalEntities(this.externalEntities); const orderedResult = orderedObjParser.parseXml(xmlData); if (this.options.preserveOrder || orderedResult === undefined) return orderedResult; else return prettify(orderedResult, this.options, orderedObjParser.matcher, orderedObjParser.readonlyMatcher); From f7ea8eff6cb6a86f8707769e7ab4f9a621f8fcc4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 00:15:30 +0000 Subject: [PATCH 3/3] fix: apply audit fixes --- package-lock.json | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/package-lock.json b/package-lock.json index 24261b4..ed83cbc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -656,6 +656,18 @@ "uuid": "dist/bin/uuid" } }, + "node_modules/@nodable/entities": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/@nodable/entities/-/entities-2.1.0.tgz", + "integrity": "sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/nodable" + } + ], + "license": "MIT" + }, "node_modules/@octokit/auth-token": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz", @@ -1199,9 +1211,9 @@ "license": "MIT" }, "node_modules/fast-xml-builder": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz", - "integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==", + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.5.tgz", + "integrity": "sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==", "funding": [ { "type": "github", @@ -1214,9 +1226,9 @@ } }, "node_modules/fast-xml-parser": { - "version": "5.5.8", - "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.8.tgz", - "integrity": "sha512-Z7Fh2nVQSb2d+poDViM063ix2ZGt9jmY1nWhPfHBOK2Hgnb/OW3P4Et3P/81SEej0J7QbWtJqxO05h8QYfK7LQ==", + "version": "5.7.2", + "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.7.2.tgz", + "integrity": "sha512-P7oW7tLbYnhOLQk/Gv7cZgzgMPP/XN03K02/Jy6Y/NHzyIAIpxuZIM/YqAkfiXFPxA2CTm7NtCijK9EDu09u2w==", "funding": [ { "type": "github", @@ -1225,9 +1237,10 @@ ], "license": "MIT", "dependencies": { - "fast-xml-builder": "^1.1.4", - "path-expression-matcher": "^1.2.0", - "strnum": "^2.2.0" + "@nodable/entities": "^2.1.0", + "fast-xml-builder": "^1.1.5", + "path-expression-matcher": "^1.5.0", + "strnum": "^2.2.3" }, "bin": { "fxparser": "src/cli/cli.js" @@ -1650,9 +1663,9 @@ } }, "node_modules/path-expression-matcher": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.2.0.tgz", - "integrity": "sha512-DwmPWeFn+tq7TiyJ2CxezCAirXjFxvaiD03npak3cRjlP9+OjTmSy1EpIrEbh+l6JgUundniloMLDQ/6VTdhLQ==", + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz", + "integrity": "sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==", "funding": [ { "type": "github", @@ -1780,9 +1793,9 @@ } }, "node_modules/strnum": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz", - "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.3.tgz", + "integrity": "sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==", "funding": [ { "type": "github",